Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #7458 External XML Entity Injection
    Actions
    Infos
    #7458
    Manuel Vacelet (vaceletm)
    2014-10-28 18:18
    2014-09-18 16:31
    7456
    Details
    External XML Entity Injection

    The application was found vulnerable to External Entity Injection

     

    Impact:

     

    A authenticated user in position to exploit this issue would be able to read the files from the system and thus affect it’s confidentiality.

     

    Exploit:

     

    Step 1

     

    POST /plugins/tracker/?group_id=102&func=create HTTP/1.1

    Host: 192.168.56.105

    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101

    Firefox/31.0

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

    Accept-Language: en-US,en;q=0.5

    Accept-Encoding: gzip, deflate

    Referer: https://192.168.56.105/plugins/tracker/?group_id=102&func=create

    Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4;

    TULEAP_session_hash=e619b58add92383b3647ee5ba68c4a79

    Connection: keep-alive

    Content-Type: multipart/form-data;

    boundary=---------------------------12077103611061

    Content-Length: 25588

     

    -----------------------------12077103611061

    Content-Disposition: form-data; name="group_id"

     

    102

    -----------------------------12077103611061

    Content-Disposition: form-data; name="func"

     

    docreate

    -----------------------------12077103611061

    Content-Disposition: form-data; name="group_id_template"

     

    100

    -----------------------------12077103611061

    Content-Disposition: form-data; name="tracker_new_prjname"

     

    Commencez à taper

    -----------------------------12077103611061

    Content-Disposition: form-data; name="create_mode"

     

    xml

    -----------------------------12077103611061

    Content-Disposition: form-data; name="tracker_new_xml_file"; filename="tracker_bugs.xml"

    Content-Type: text/xml

     

    -----------------------------12077103611061

    Content-Disposition: form-data; name="name"

     

    Bugs

    -----------------------------12077103611061

    Content-Disposition: form-data; name="description"

     

    Bugs Tracker

    -----------------------------12077103611061

    Content-Disposition: form-data; name="itemname"

     

    bug

    -----------------------------12077103611061

    Content-Disposition: form-data; name="Create"

     

     

     

    Créer

    -----------------------------12077103611061--

     

    Step 2

     

    https://192.168.56.105/plugins/tracker/?group_id=102&tracker=12

    or

    https://192.168.56.105/plugins/tracker/?tracker=12&func=admin-formElements

     

    Trackers
    7.2
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Nicolas Terray (nterray)
    Closed
    2014-09-26
    Attachments
    Artifact links
    Empty
    By Nicolas Terray (nterray)
    (23 kB)
    cve.xml
    References
    Referencing request #7458

    Artifact Tracker v5

    rel #7433 7.6

    Git commit

    tuleap/tuleap/stable

    Fix request #7458: External XML Entity Injection 4064ac5de8
    User avatar Manuel Vacelet (vaceletm) , 2014-09-25 14:02
    Fix request #7458: External XML Entity Injection e370c81090
    User avatar Nicolas Terray (nterray) , 2014-10-07 08:42
    Display settings

    Follow-ups

    User avatar
    Manuel Vacelet (vaceletm)2014-09-25 14:05
    Merged in 7.5.99.10
    Need to wait for 1 week before merging in TE IMHO
    • Status changed from Under review to Closed
    • Assigned to changed from None to Nicolas Terray (nterray)
    User avatar
    Nicolas Terray (nterray)2014-09-19 16:37
    • Summary
      -External XML Entity Injection 1 
      +External XML Entity Injection 
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes