| Author |
Message
|
| lfrestrepog |
 Posted: Tue Apr 28, 2020 5:03 am Post subject: Is it possible to disable XML internal entities? |
 |
|
Novice
Joined: 08 Jul 2014
Posts: 22
|
Hello, good day.
Is it possible to disable XML internal entities? Or maybe completely ignore inline DTD?
According to the knowledge center, inline DTD is read while parsing and entities are expanded (https://www.ibm.com/support/knowledgecenter/en/SSMKHH_10.0.0/com.ibm.etools.mft.doc/ad67050_.html). I made a few experiments to verify that schema validation works fine with XML entities (no surprise there), but our security team argues this is a vulnerability. Now, I don't think the risk is too high (external entities are disabled/ignored and the bus is accesible only to trusted applications), but perhaps a properly crafted XML document could lead to a denial of service, right?
Has anyone looked into this before? Is there any workaround available to address this vulnerability?
Any comment would be much appreciated. Thanks.
(Stay safe and wash your hands frequently!)
_________________
--
Luis Fernando Restrepo Gutiérrez |
|
| Back to top |
|
 |
| timber |
| Posted: Tue Apr 28, 2020 7:53 am Post subject: |
|
|
Grand Master
Joined: 25 Aug 2015
Posts: 1292
|
| Quote: |
| perhaps a properly crafted XML document could lead to a denial of service, right? |
It depends on how good your security gateway is and how well it is configured. IBM DataPower can automatically detect and reject any dangerous XML documents including (but not limited to) 'billion laughs' and similar XML bombs.
If the security team are concerned about that specific type of attack then they probably should also be concerned about a other, more serious types of attack. Because as you rightly said, IIB is only accessible to trusted applications and if somebody could send it an XML bomb then they could probably do a lot of other, more damaging stuff. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 28, 2020 8:28 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
It's unusual in my experience to have IIB directly outward facing. You typically have it behind DataPower or similar perimeter defense (as my worthy associate says), and often with an application layer in the mix somewhere.
Someone who can deliver an XML bomb to IIB is a dangerous person to have in your estate.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lfrestrepog |
| Posted: Tue Apr 28, 2020 1:51 pm Post subject: |
|
|
Novice
Joined: 08 Jul 2014
Posts: 22
|
Right, we do have Datapower for all external facing integrations, and some authentication mechanisms for internal endpoints.
Just wanted to make sure I didn't miss some configuration in the knowledge center.
Thanks for your replies. Regards.
_________________
--
Luis Fernando Restrepo Gutiérrez |
|
| Back to top |
|
|
| Krish318 |
| Posted: Tue Aug 11, 2020 3:27 am Post subject: |
|
|
Newbie
Joined: 11 Aug 2020
Posts: 2
|
Hi All,
Even i am facing the same issue is there any solution to validate or restrict DTD in IIB? We dont want to allow DTD to be parsed. If any one is having solution please help to resolve this issue. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Aug 11, 2020 6:33 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Krish318 wrote: |
| If any one is having solution please help to resolve this issue. |
The same solution as outlined above - use a good security gateway between IIB and the outside world.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
