Guide - 7.10.38.23 Prevent XML External Entity Attack

Introduction

This migration guide applies to 7.10.38.23-LTS and 7.10.41.0 and 11.9.1.

Data import is an important task of Intershop Commerence Management (ICM). It is imaginable that someone tries to gain unauthorized access to the shop system by using a manipulated schema definition in an import file to trigger an XML external entity attack via our import framework. To prevent this, the access of external resources in import files is now forbidden.

Migration

Ensure that your import files do not contain any references to external XSD resources. All references starting with http or https are blocked by the system. Only references which can be resolved in the classpath can be used.

Example of an import file

[...]
<enfinity xsi:schemaLocation="http://www.intershop.com/xml/ns/enfinity/7.1/xcs/impex catalog.xsd http://www.intershop.com/xml/ns/enfinity/6.5/core/impex-dt dt.xsd" 
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
          xmlns="http://www.intershop.com/xml/ns/enfinity/7.1/xcs/impex" 
          xmlns:xml="http://www.w3.org/XML/1998/namespace" 
          xmlns:dt="http://www.intershop.com/xml/ns/enfinity/6.5/core/impex-dt" 
          major="6" minor="1" family="enfinity" branch="enterprise" build="">
[...]

In case of an invalid import file the import/export error message Loading of external resources is not allowed! is displayed.

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

ThoTable of Contents

Introduction

Migration