Hi,
We had a security audit of our application, and the security people said we have to disable the use of the external entities in the XML parser. They say it is a vulnerability (even though they were not able to exploit that vulnerability to access some useful resource).
I understand that the basis use case is when someone would add a DTD section in the XML submitted to the application and the DTD section would force the parser to resolve external entities, towards URL's or files for example. Although I think that for files there is no risk unless the file is in a directory authorized via a directory in the DB I think). A basic example would be
<!DOCTYPE foo[
<!ELEMENT foo ANY>
<!ENTITY test SYSTEM 'file:///etc/passwd'>
]>
<foo>
&test;
</foo>
I was searching for a way to disable the use of external entities at the most global level possible, but could not find any way to do that.
It is not very clear for me what is the use case in which such an attack could occur, but apparrently simply parsing a XML with a DTD and external entities is enough to be vulnerable, so for example if we use a XMLTYPE constructor with an input that is not checked against the existence of a DTD section we would be at risk ?
Can anyone tell me what is the best way to protect our application ? What makes it difficult is that we run the application on Oracle 10 and on Oracle 12c
Thanks and regards,
Pierre