XXE Vulnerability due to simple-xml?

[mpretzer]

Accoding to ngallagher/simplexml#18 there is an XXE vulnerability in simple-xml, which is used by cups4j.

So in my understanding, a malicious printer or MITM could exploit cup4j Users.

Can you clarify on the subject? Does cups4j mitigate against such attacks by controlling the underlying XML Parsers, as is for example implemented in https://github.com/carrotsearch/simplexml-safe?

[mpretzer]

No comment?

[harwey]

Puh, sorry, I do not have very much free time to spend on Cups4j.
Cups4j uses plain simple-xml. I need to dive into this more to be able to answer your question properly. I won't be able to check this out in the next few days.

[mpretzer]

I had a quick look into cups4j. Apparently, simple-xml is only used to parse configuration files supplied by cups4j itself, loaded via classpath.
So XXE is not possible, unless the attacker controls the classpath.

However, given the lack of feedback from the author of simple-xml, I'd suggest to ditch that library in favor of jaxb or maybe jackson. At least, consider switching to the fork in https://github.com/carrotsearch/simplexml-safe

[gmuth]

I think the reason why xml is used is because the code is based on old "ch.ethz" code that was created when xml was hyped. there is actually no need to use xml in the first place. ipp is binary encoded and a decent object representation can be created without intermediate xml representations.