as part of security research I've found an exploitable bypass of the XXE fix of the 2.7.1.1 release, which renders the fix useless.
In order to avoid direct risk to customers (including mine) running GeoServer (even the current 2.7.1.1 release) I do not yet post any exploitation details here, unless you ask me to post it here. Better contact me directly for information about the bypass and the steps to fix it (mail@Christian-Schneider.net).
Mass closing all resolved issues not modified in the last 4 weeks
Torben Barsballe
August 31, 2015 at 4:11 PM
All the fixes for this have been backported to 2.7.x, 2.6.x, and 2.5.x (for consistency with the earlier XXE fix). Exact details of the commits involved are in an earlier comment, above.
Christian Schneider
August 23, 2015 at 12:37 PM
Yes, handling the SSRF stuff in another ticket separately is a good idea
Andrea Aime
August 23, 2015 at 9:37 AM
Marking as resolved, got not further comments. Was this backported to 2.6.x too?
Hello,
as part of security research I've found an exploitable bypass of the XXE fix of the 2.7.1.1 release, which renders the fix useless.
In order to avoid direct risk to customers (including mine) running GeoServer (even the current 2.7.1.1 release) I do not yet post any exploitation details here, unless you ask me to post it here. Better contact me directly for information about the bypass and the steps to fix it (mail@Christian-Schneider.net).
Best regards & many thanks,
Christian Schneider
@cschneider4711