exploit the possibilities

OpenOffice.org Data Leakage

OpenOffice.org Data Leakage
Posted Mar 23, 2012
Authored by Timothy D. Morgan | Site apache.org

An XML External Entity (XXE) attack is possible in OpenOffice.org versions 3.3 and 3.4 Beta. This vulnerability exploits the way in which external entities are processed in certain XML components of ODF documents.

tags | advisory, xxe
advisories | CVE-2012-0037
MD5 | 151237e4e5475ac81f0b89e30fba0e55

OpenOffice.org Data Leakage

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2012-0037: OpenOffice.org data leakage vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
Earlier versions may be also affected.

Description: An XML External Entity (XXE) attack is possible in the
above versions of OpenOffice.org. This vulnerability exploits the way
in
which external entities are processed in certain XML components of ODF
documents. By crafting an external entity to refer to other local
file system
resources, an attacker would be able to inject contents of other
locally- accessible files into the ODF document, without the user's
knowledge or permission. Data leakage then becomes possible when that
document is later distributed to other parties.

Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html

This vulnerability is also fixed in Apache OpenOffice 3.4 dev
snapshots since March 1st, 2012.

Source and Building: Information on obtaining the source code for this
patch, and for porting it or adapting it to OpenOffice.org derivatives
can be found here: http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt

Credit: The Apache OpenOffice project acknowledges and thanks the
discoverer of this issue, Timothy D. Morgan of Virtual Security
Research, LLC.

References: http://security.openoffice.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
OZE/3v6XnehMD/32kipa
=/qce
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close