There is a function of importing other blogs in the background. This function needs to parse the xml file, but it is not used for security defense, such as setFeature ("http://apache.org/xml/features/disallow-doctype-decl", true) ;
So there is a XML external entity (XXE) vulnerability,This vulnerability can detect the intranet, read files, ddos attacks, etc.
Demonstrate reading files
First construct an evil xml file. When the file is parsed, read the /tmp/xxe.txt file and put the result into the category list field.
Upload this file to the system and get the file path upload/2019/12/wp-66897ae127a54923a4987d1374420271.xml
Using the imported wordpress blog information interface to trigger a vulnerability
I am sure I have checked
I want to apply
There is a function of importing other blogs in the background. This function needs to parse the xml file, but it is not used for security defense, such as setFeature ("http://apache.org/xml/features/disallow-doctype-decl", true) ;


So there is a XML external entity (XXE) vulnerability,This vulnerability can detect the intranet, read files, ddos attacks, etc.
Demonstrate reading files
First construct an evil xml file. When the file is parsed, read the
/tmp/xxe.txtfile and put the result into the category list field.Upload this file to the system and get the file path
upload/2019/12/wp-66897ae127a54923a4987d1374420271.xmlUsing the imported wordpress blog information interface to trigger a vulnerability
After sending the above message, you can see the contents of the

/tmp/xxe.txtfile in the background classification directory.Bug fix recommendations:
setFeature ("http://apache.org/xml/features/disallow-doctype-decl", true) ;
https://find-sec-bugs.github.io/bugs.htm#XXE_SAXPARSER
The text was updated successfully, but these errors were encountered: