Apache Roller 5.0.3 XXE漏洞分析
2024-08-26 17:17:00
下载5.0.2的版本来分析
5.0.2的war包地址 http://archive.apache.org/dist/roller/roller-5/v5.0.2/bin/roller-weblogger-5.0.2-for-javaee.zip
从web.xml入手分析,可以看到如下servlet映射
<servlet>
<servlet-name>XmlRpcServlet</servlet-name>
<servlet-class>org.apache.xmlrpc.webserver.XmlRpcServlet</servlet-class>
<init-param>
<description>
Sets, whether the servlet supports vendor extensions for XML-RPC.
</description>
<param-name>enabledForExtensions</param-name>
<param-value>true</param-value>
</init-param>
</servlet>
指向org.apache.xmlrpc.webserver.XmlRpcServlet的类。
从doPost看起
public void doPost(HttpServletRequest pRequest, HttpServletResponse pResponse) throws IOException, ServletException {
private XmlRpcServletServer server;
server.execute(pRequest, pResponse);
}
指向org.apache.xmlrpc.webserver.XmlRpcServletServer
public void execute(HttpServletRequest pRequest, HttpServletResponse pResponse)
throws ServletException, IOException {
XmlRpcHttpRequestConfigImpl config = getConfig(pRequest);
ServletStreamConnection ssc = newStreamConnection(pRequest, pResponse);
try {
super.execute(config, ssc);
} catch (XmlRpcException e) {
throw new ServletException(e);
}
}
看到super.execute(config, ssc); 这行指向父类的execute方法
public class XmlRpcServletServer extends XmlRpcHttpServer
父类为XmlRpcHttpServer,在父类中没找到execute方法,继续向上调用XmlRpcStreamServer类
public abstract class XmlRpcHttpServer extends XmlRpcStreamServer
在XmlRpcStreamServer类存在execute方法
public void execute(XmlRpcStreamRequestConfig pConfig,
ServerStreamConnection pConnection)
throws XmlRpcException {
log.debug("execute: ->");
try {
Object result;
Throwable error;
InputStream istream = null;
try {
istream = getInputStream(pConfig, pConnection);
XmlRpcRequest request = getRequest(pConfig, istream);
result = execute(request);
istream.close();
istream = null;
error = null;
log.debug("execute: Request performed successfully");
} catch (Throwable t) {
logError(t);
result = null;
error = t;
} finally {
if (istream != null) { try { istream.close(); } catch (Throwable ignore) {} }
}
.......//省略后面无关代码
}
看到其中的 XmlRpcRequest request = getRequest(pConfig, istream); ,调用当前类的getRequest方法。
protected XmlRpcRequest getRequest(final XmlRpcStreamRequestConfig pConfig,
InputStream pStream) throws XmlRpcException {
final XmlRpcRequestParser parser = new XmlRpcRequestParser(pConfig, getTypeFactory());
final XMLReader xr = SAXParsers.newXMLReader();
xr.setContentHandler(parser);
.....//省略后面无关代码
}
在getRequest()方法中有这么一句:XMLReader xr = SAXParsers.newXMLReader();
public class SAXParsers {
private static final SAXParserFactory spf;
static {
spf = SAXParserFactory.newInstance();
spf.setNamespaceAware(true);
spf.setValidating(false);
}
/** Creates a new instance of {@link XMLReader}.
*/
public static XMLReader newXMLReader() throws XmlRpcException {
try {
return spf.newSAXParser().getXMLReader();
} catch (ParserConfigurationException e) {
throw new XmlRpcException("Unable to create XML parser: " + e.getMessage(), e);
} catch (SAXException e) {
throw new XmlRpcException("Unable to create XML parser: " + e.getMessage(), e);
}
}
}
其中:
spf = SAXParserFactory.newInstance();
spf.setNamespaceAware(true);
spf.setValidating(false);
直接引用xml文档,没做访问限制,所有造成了xxe漏洞
修复方式:
最新文章
- AC日记——最小的N个和 codevs 1245
- JS验证只能输入数字,数字和字母等的正则表达式
- ansible-copy
- UICollectionView高级实践
- EETOP中关于Gm仿真的一些帖子的总结
- JBPM4.4+SSH 整合配置及完整实例
- 【转】windows上安装gvim
- 《编写高质量代码》CSS部分总结
- export 命令 设置环境变量
- QWidget QMainWindow QDialog 三者区别
- 主运行循环main run loop的一些理解
- IE升级到10.0,VS2010启动调试时报“未能将脚本调试器附加到计算机..”
- 解决time_wait过多的问题
- [SinGuLaRiTy] 高精度算法代码库
- ASIHTTPRequest
- android传值
- We are a team----sh_6666
- ubuntu下opencv2.4.9和opencv3.1.0的共存
- Mysql读写分离——主从数据库+Atlas
- JS字符串false转boolean
热门文章
- oracle 锁表查看与解锁
- 证明 U and V={0}时 dim(U+V)=dim(U)+dim(V)
- aliyun API 调试
- Linux下启动tomcat报错,WARN org.apache.zookeeper.ClientCnxn - Session 0x0 for server null, unexpected error, closing socket connection and attempting reconnect java.net.ConnectException:
- Java学习第1天:序言,基础及配置tomcat
- C#重点内容之:事件(Event)
- TCP报文首部详解
- (转).net面试题(老赵)
- web-day15
- noip第16课作业