-
Notifications
You must be signed in to change notification settings - Fork 284
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURITY: remote code execution due to XML deserialization in Restlet #774
Comments
Hello, It has been decided to remove the default support of XML-serialized JavaBean using the ObjectRepresentation inside the default converter provided by the framework (NB: the binary representations is still supported). This support is activated using a system property (org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED). Here is the comment added: SECURITY WARNING: The usage of {@link XMLDecoder} when deserializing XML presentations from unstrusted sources can lead to malicious attacks. As pointed here , the {@link XMLDecoder} is able to force the JVM to execute unwanted Java code described inside the XML file. Thus, the support of such format has been disactivated by default inside the default converter. You can activate this support by turning on the following system property: org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED. |
…tion. Reported by David Jorm, Dinis Cruz, Abraham Kang and alavaro Munoz.
…tion. Reported by David Jorm, Dinis Cruz, Abraham Kang and Alvaro Munoz.
…tion. Reported by David Jorm, Dinis Cruz, Abraham Kang and Alvaro Munoz.
…tion. Reported by David Jorm, Dinis Cruz, Abraham Kang and Alvaro Munoz.
Thanks Thierry. Given that this issue has a serious security impact, and a working exploit is publicly available, I think it would be a good idea to release a new minor version of restlet that includes this patch. Please note that CVE-2013-4221 has been assigned to this issue: |
…tion. Reported by David Jorm, Dinis Cruz, Abraham Kang and Alvaro Munoz.
…serialization, binary-deserialization on ObjectRepresentation class. Reported by David Jorm.
…serialization, binary-deserialization on ObjectRepresentation class. Reported by David Jorm.
Dinis Cruz has published information on remote code execution due to XML deserialization in Restlet:
http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
https://github.com/o2platform/DefCon_RESTing
I have tested his reproducer and confirmed it works against Restlet 2.0 and 2.2.
The text was updated successfully, but these errors were encountered: