Improper Control of Document Type DefinitionID: 827 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Base |
Description
The software does not restrict a reference to a Document Type
Definition (DTD) to the intended control sphere. This might allow attackers to
reference arbitrary DTDs, possibly causing the software to expose files, consume
excessive system resources, or execute arbitrary http requests on behalf of the
attacker.
Extended DescriptionAs DTDs are processed, they might try to read or include files on the
machine performing the parsing. If an attacker is able to control the DTD,
then the attacker might be able to specify sensitive resources or requests
or provide malicious content.For example, the SOAP specification prohibits SOAP messages from
containing DTDs.
Applicable PlatformsNone
Common Consequences
Scope | Technical Impact | Notes |
---|
Confidentiality | Read files or
directories | If the attacker is able to include a crafted DTD and a default entity
resolver is enabled, the attacker may be able to access arbitrary files
on the system. |
Availability | DoS: resource consumption
(CPU)DoS: resource consumption
(memory) | The DTD may cause the parser to consume excessive CPU cycles or memory
using techniques such as nested or recursive entity references
(CWE-776). |
IntegrityConfidentialityAvailabilityAccess_Control | Execute unauthorized code or
commandsGain privileges / assume
identity | The DTD may include arbitrary HTTP requests that the server may
execute. This could lead to other attacks leveraging the server's trust
relationship with other entities. |
Detection MethodsNone
Potential MitigationsNone
Relationships
Related CWE | Type | View | Chain |
---|
CWE-827 CanPrecede CWE-776 | Weakness | CWE-1000 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2010-2076 : Product does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:
- Daniel Kulp .Apache CXF Security Advisory (CVE-2010-2076). Published on 2010-06-16.