lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CA+-4HnUVdRsaHhQ1dAqi26ZpQv9ORfj-5bOPTP1GDT9c62RWzw@mail.gmail.com>
Date: Wed, 12 Sep 2018 10:37:19 +0200
From: Jonas Lejon <jonas.bugtraq@...op.se>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2017-17762 - XXE Vulnerability in Episerver CMS

About
==============
Blind (XXE) XML External Entity vulnerability in the CMS Episerver 7
patch 4 and below. The vulnerability is in the blog module and can be
used even if the blog module has been disabled.

Exploit
==============
PoC exploit attached.

Mitigations
==============
Disable access to the path /util/xmlrpc/Handler.ashx
Disable outgoing access from the webserver, including DNS etc.

Disclosure timeline
==============
2017-12-12 Contacting CERT-SE
2017-12-13 Contacting the Episerver company
2017-12-19 CVE-number reserved
2017-12-21 The Episerver VP R&D acknowledges the vulnerability.
Internal bug number is #128556 and he writes that it's fixed from
Episerver 7-patch 5
2018-08-28 First public info


Regards,
Jonas Lejon
Triop AB
https://triop.se

View attachment "episploit.py" of type "text/x-python-script" (3070 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ