Lift XML Vulnerability March 22, 2015
A Serious Vulnerability
Security testing at a large Lift-powered site revealed a serious XML-related security vulnerability.
The core issue is that Lift prior to recently patched versions 2.5.2, 2.6.1, and 3.0-M4 are vulnerable to a XML eXternal Entity attack. The attack allows access to the local filesystem via XML entities:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
The root cause of the problem is that Lift uses Scala's
scala.xml.XML library for
parsing and the default configuration of that library is insecure.
We reached out to the Typesafe folks to let them know about
the vulnerability. They pointed us to how Play! handles XML-related issues as well
as an open ticket related
scala.xml's security. A shout-out to Typesafe for doing security right
and to being helpful to the Lift team.
We released Lift 2.5.2 and 2.6.1 earlier this week to fix the XXE issue, and
just released 2.5.3 and 2.6.2 that harden XML parsing further.
We suggest that Lift (or any) apps that use
scala.xml.XML switch to using
net.liftweb.util.Helpers.secureXML, which has an identical API but is secured against
several common XML vulnerabilities.