| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Jun 2014 13:15:20 -0500 From: Brandon Perry <bperry.volatile@...il.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] HP Enterprise Maps 1.00 Authenticated XXE HP Enterprise Maps 1.00 Authenticated XXE vulnerability http://www8.hp.com/us/en/software/enterprise-software.html Any user that has the ability to import a file to create an artifact (most, if not all authed users?) can upload a specially crafted WSDL that will read files such as /etc/passwd. If you download the OVA available, then log in as vagrant:vagrant over ssh, you should see a series of commands followed by a bash prompt. Follow the instructions printed, I also followed the instruction to install the demo data. After this, you have two accounts available, ‘admin’ and ‘demoapprover’. Both have the password ‘changeit’. You may log in as either of these users, and import the following WSDL as a file (Import menu item -> File), then follow the first link to the ‘GetQuote’ method when it finishes parsing the WSDL. The /etc/passwd file will be listed at the top. Example WSDL: https://gist.github.com/brandonprry/470bb4ec7d019cbfe4e6 Image of page once exploited: http://imgur.com/14eAOCw -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists