Top
Welcome

The Ruby on Rails Security Project wants to make Rails (applications) more secure. Heiko Webers of bauland42 writes blog posts about Rails and security related topics and carries out security audits for your web applications. We have a free book for you, too. Contact Heiko at 42 -the AT sign- bauland42.de.

Search

Feeds / Syndication
Most Popular
« SQL Injection issue in :limit and :offset parameter | Main | Ruby security vulnerabilities »
Wednesday
27Aug

DoS vulnerability in REXML

DateWednesday, August 27, 2008 at 3:21PM

Here is a security announcement for the REXML library (links by me) in the Ruby news:

There is a DoS vulnerability in the REXML library used by Rails to parse incoming XML requests. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML. Most Rails applications will be vulnerable to this attack.

Impact

An attacker can cause a denial of service by causing REXML to parse a document containing recursively nested entities such as:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
 <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
 <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
 <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
 <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
 <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
 <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
 <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>

M. Koziarski provides a Rails-specific solution to the problem:

The announcement contains details describing a monkeypatch which can
be applied to prevent the risk.  These instructions are reproduced
below with more rails specific information:

** Versions 2.0.2 and earlier

# Copy the fix file into RAILS_ROOT/lib
# Require the file from environment.rb require 'rexml-expansion-fix'

** Versions 2.1.0 and edge

Copy the fix file into RAILS_ROOT/config/initializers, it will berequired automatically.

There is also a gem available which includes the fix file:

gem install rexml-expansion-fix

Once that command has completed add the following line to the bottom
of your environment.rb file:

require 'rexml-expansion-fix'

AuthorHeiko | Comment1 Comment |

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (1)

This vulnerability has been known about for quite some time. When I looked at RoR about a year ago, there were a couple message board posts that I could dig up that talked about it.

Most XML parsing engines solve this by providing a property that disables DTD parsing (e.g. .Net and MSXML both have .prohibitDTD properties). You could accomplish this same goal using REXML by overriding the entity resolver method to basically refuse to resolve anything but the standard entities.

Sorry for not providing more references, but I looked into this so long ago that I don't have all of my information in front of me.

August 27, 2008 | Unregistered CommenterChris Clark

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>