A Serious Vulnerability

Security testing at a large Lift-powered site revealed a serious XML-related security vulnerability.

The core issue is that Lift prior to recently patched versions 2.5.2, 2.6.1, and 3.0-M4 are vulnerable to a XML eXternal Entity attack. The attack allows access to the local filesystem via XML entities:

 <?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [
     <!ELEMENT foo ANY >
        <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

The root cause of the problem is that Lift uses Scala's scala.xml.XML library for parsing and the default configuration of that library is insecure.

We reached out to the Typesafe folks to let them know about the vulnerability. They pointed us to how Play! handles XML-related issues as well as an open ticket related to scala.xml's security. A shout-out to Typesafe for doing security right and to being helpful to the Lift team.

We released Lift 2.5.2 and 2.6.1 earlier this week to fix the XXE issue, and just released 2.5.3 and 2.6.2 that harden XML parsing further. We suggest that Lift (or any) apps that use scala.xml.XML switch to using net.liftweb.util.Helpers.secureXML, which has an identical API but is secured against several common XML vulnerabilities.