Last Modified: Sep 13, 2023
Known Affected Versions:
15.1.4, 22.214.171.124, 15.1.5, 126.96.36.199, 15.1.6
17.0.0, 188.8.131.52, 184.108.40.206
Opened: Dec 26, 2021 Severity: 3-Major
On OWASP dashboard, both 2021 and 2017, the Disallow DTDs in XML content profile protection is not calculated correctly on the xml-profile allowDTD field.
Actual OWASP compliance for this protection can be different from the one shown by the GUI.
Open the OWASP page for any non-parent/child security policy, (Security ›› Overview : OWASP Compliance). For OWASP 2017, DTDs is located under A4 category, and for 2021 under A5 category.
The actual conditions that satisfy the Disallow DTDs in XML content profile protection are: 1. 'XML data does not comply with format settings' violation should be set to alarm+block. 2. 'Malformed XML data' violation should be set to alarm + block. 3. No XML content profile in the policy is set so that allowDTDs to true.
Scoring calculation was changed: Now score will be given only if no XML content profile in the policy has allowDTDs field set as true.