New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XML External Entity (XXE) Vulnerability in admin/api.php #944

Closed
EgiX opened this Issue Oct 28, 2014 · 4 comments

Comments

Projects
None yet
2 participants
@EgiX

EgiX commented Oct 28, 2014

Last week I tried to notify you about this issue by sending an email to some @get-simple.info addresses that I found on this page (including info@get-simple.info and security@get-simple.info), but I haven't received a response, so I'm opening this ticket.

When the External API is enabled from within the gsconfig.php file, an attacker might be able to carry out XML External Entity (XXE) attacks resulting in arbitrary file disclosures. This is the vulnerable line of code, where the simplexml_load_string() function is used with user input passed via the 'data' POST parameter. To fix this vulnerability you may want to use the libxml_disable_entity_loader() function.

Since GetSimple is an XML-based CMS, this vulnerability might be abused to disclose sensitive data stored in XML files which might allow attackers to bypass the authentication mechanism and access the administration panel in order to achieve arbitrary code execution. On the other hand, the vulnerability is relatively minor, because it's mitigated by the fact that the 'GSEXTAPI' constant is not defined by default.

@tablatronix

This comment has been minimized.

Member

tablatronix commented Oct 28, 2014

libxml_disable_entity_loader should be default in 5.3.2+
Obtaining the api token already allows exploit of all kinds of stuff

api is not really supported anymore, and has not been maintained since 3.1, it is not recommended for use as it is and always has been experimental.

Not sure if it will be fixed or removed, it needs to be rewritten entirely, using modern api methods, and security

@EgiX

This comment has been minimized.

EgiX commented Oct 28, 2014

libxml_disable_entity_loader should be default in 5.3.2+

I think the default setting is true since PHP 5.4.13, indeed I'm able to exploit this vulnerability on 5.3.3.

Obtaining the api token already allows exploit of all kinds of stuff

The API token is not required to exploit this vulnerability, neither authentication. The only requirement is the GSEXTAPI constant defined.

it is not recommended for use as it is and always has been experimental

I don't see "experimental" or "Not recommended" near the GSEXTAPI description in this page.

@tablatronix

This comment has been minimized.

Member

tablatronix commented Oct 28, 2014

gotcha, I tried finding where I read that, but I cant find it again, i had an issue on it months ago and closed it because it seemed to be a non issue, perhaps I was wrong.

( maybe i am thinking remote xxe, if there is an option for external url entities)

I need to update that wiki article desperately, nonone had ever even used the API that i know of, or even tested it, it was written by a original author a long time ago.

@tablatronix tablatronix modified the milestones: v3.4.0, 3.3.5 Oct 28, 2014

tablatronix added a commit that referenced this issue Oct 30, 2014

@EgiX

This comment has been minimized.

EgiX commented Nov 26, 2014

FYI: the Common Vulnerabilities and Exposures project has assigned the name CVE-2014-8790 to this vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment