14 DAY TRIAL // The Apache Software Foundation has released Apache Shindig 2.5.0-update 1 to address an XML External Entity (XXE) Injection vulnerability.
“The gadget renderer in the PHP version of Apache Shindig is subject to an XML External Entity (XXE) Injection attack. The vulnerability allows a malicious gadget author to construct paths to content on the gadget rendering server which in turn will display the content in the gadget iframe,” reads the vulnerability advisory.
Kousuke Ebihara is the security researcher who has identified the issue. On the Full Disclosure mailing list, Apache’s Ryan Baxter published a gadget XML that demonstrates the vulnerability.
Users are advised to update their installations as soon as possible to avoid any unfortunate incidents.
Apache Shindig is an OpenSocial container created in Java and PHP and it’s designed to help developers with hosting OpenSocial apps.