Document Tree
Document Properties
Kbid
3T1188
Last Modified
16-Oct-2024
Added to KB
06-May-2024
Public Access
Everyone
Status
Online
Doc Type
Guidelines
Product
  • ICM 7.10
  • ICM 11
  • ICM 12
Guide - 7.10.38.23 Prevent XML External Entity Attack

Table of Contents


Introduction

This migration guide applies to 7.10.38.23-LTS and 7.10.41.0 and 11.9.1.

Data import is an important task of Intershop Commerce Management (ICM). It is imaginable that someone tries to gain unauthorized access to the shop system by using a manipulated schema definition in an import file to trigger an XML external entity attack via our import framework. To prevent this, the access of external resources in import files is now forbidden.

Migration

Ensure that your import files do not contain any references to external XSD resources. All references starting with http or https are blocked by the system. Only references which can be resolved in the classpath can be used.

Example of an import file

[...]
<enfinity xsi:schemaLocation="http://www.intershop.com/xml/ns/enfinity/7.1/xcs/impex catalog.xsd http://www.intershop.com/xml/ns/enfinity/6.5/core/impex-dt dt.xsd" 
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
          xmlns="http://www.intershop.com/xml/ns/enfinity/7.1/xcs/impex" 
          xmlns:xml="http://www.w3.org/XML/1998/namespace" 
          xmlns:dt="http://www.intershop.com/xml/ns/enfinity/6.5/core/impex-dt" 
          major="6" minor="1" family="enfinity" branch="enterprise" build="">
[...]

In case of an invalid import file the import/export error message Loading of external resources is not allowed! is displayed.

Disclaimer
The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.
The Intershop Knowledge Portal uses only technically necessary cookies. We do not track visitors or have visitors tracked by 3rd parties. Please find further information on privacy in the Intershop Privacy Policy and Legal Notice.
Home
Knowledge Base
Product Releases
Log on to continue
This Knowledge Base document is reserved for registered customers.
Log on with your Intershop Entra ID to continue.
Write an email to supportadmin@intershop.de if you experience login issues,
or if you want to register as customer.