From: Scott Cantor Date: Wed, 10 Jan 2018 12:20:07 -0500 Subject: CVE-2018-0486: vulnerability to forged user attribute data The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing. Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information. While the use of XML Encryption can serve as a mitigation for this bug, it may still be possible to construct attacks in such cases, and the SP does not provide a means to enforce its use. CPPXT-127 - Block entity reference nodes during unmarshalling. https://issues.shibboleth.net/jira/browse/CPPXT-127 --- xmltooling/io/AbstractXMLObjectUnmarshaller.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp b/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp index ae2709e..487348e 100644 --- a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp +++ b/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp @@ -206,6 +206,8 @@ void AbstractXMLObjectUnmarshaller::unmarshallContent(const DOMElement* domEleme else if (childNode->getNodeType() == DOMNode::TEXT_NODE || childNode->getNodeType() == DOMNode::CDATA_SECTION_NODE) { m_log.debug("processing text content at position (%d)", position); setTextContent(childNode->getNodeValue(), position); + } else if (childNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE || childNode->getNodeType() == DOMNode::ENTITY_NODE) { + throw UnmarshallingException("Unmarshaller found Entity/Reference node."); } childNode = childNode->getNextSibling();