lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20260216104805.0973e078@hboeck.de>
Date: Mon, 16 Feb 2026 10:48:05 +0100
From: Hanno Böck <hanno@...eck.de>
To: fulldisclosure@...lists.org
Subject: [FD] Blind XXE in Electronic Invoice online tools
 (validator.invoice-portal.de, xrechnung.rib.de)

During tests of electronic invoicing tools, I discovered multiple XXE
and Blind XXE vulnerabilities in online tools parsing electronic
invoices in XML formats.

While most of the affected tools have fixed these vulnerabilities, two
online tools remain vulnerable to Blind XXE attacks, allowing
exfiltration of files. Disclosure to the affected operators happened
more than 90 days ago.

Vulnerable tools:

https://validator.invoice-portal.de/
https://xrechnung.rib.de/ (only the visualization tool)

In both cases, uploading an invoice with a blind XXE payload leads to
HTTP requests to the attacker's server and exfiltrates file content.
Proof of concepts, e.g., to exfiltrate /etc/hostname
(ciibxxehostname.xml), can be found here:
  https://github.com/hannob/invoicesec


Timeline validator.invoice-portal.de:
2025-11-17 Informed support contact about Blind XXE vulnerability, no
reply
2026-02-16 Still vulnerable, public disclosure

Timeline xrechnung.rib.de:
2025-10-29 Reported "standard" XXE via contact form, no reply
2025-11-18 Re-test, incomplete fix: "Standard" XXE fixed, Blind XXE
still possible
2025-11-18 Re-reported incomplete fix, no reply
2026-02-16 Still vulnerable, public disclosure

This was part of a larger research effort about the security of EU
electronic invoices:
  https://invoice.secvuln.info/

-- 
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ