exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TufinOS 2.1.7 Build 1193 XML Injection

TufinOS 2.1.7 Build 1193 XML Injection
Posted Nov 12, 2018
Authored by Konstantinos Alexiou

TufinOS version 2.1.7 build 1193 suffers from an XML external entity injection vulnerability.

tags | exploit
SHA-256 | c7eeef472d3bbfb7e0cff63da1db6a06e9fc92d0a0ec3d9dd0bfd2873b6827ed
Download | Favorite | View

TufinOS 2.1.7 Build 1193 XML Injection

Change Mirror Download
# Exploit Title: TufinOS 2.17 Build 1193 - XML External Entity Injection
# Exploit Author: konstantinos Alexiou
# Date: 2018-10-18
# Vendor: https://www.tufin.com
# Software Link: https://www.tufin.com/tufin-orchestration-suite/securetrack
# CVE: N/A
# Category: webapps
 
# 1. Description
# The SecureTrack application is vulnerable to XML External Entity injection. 
# This attack is considered quite serious and can be used to:
# (1) Retrieve confidential data
# (2) Perform denial of service
# (3) Execute server side request forgery attacks
# (4) Perform port scanning through the machine on other systems 
 
# The issue was identified inside the "Audit" > "Best Practices" module of the "SecureTrack" 
# application when creating a new Best Practices query and manipulating the "xml" parameter 
# in the request. When the vulnerability is triggered it doesn't directly return anything 
# to the attacker but rather the contents of the requested file are written inside 
# the name field of a best practices. This vulnerability affects every "SecureTrack" 
# application authentication user role.
    
# 2. Proof of Concept
# Step 1: Login to the "SecureTrack" application using any user and then navigate to 
# "Audit" > "Best Practices". 
# Step 2: Create and submit a "New Query" while intercepting the traffic:
# Step 3: Send the request to repeater and change it to include the following 
# payload after the "xml=" input field:
-->
 
<!DOCTYPE foo [<!ENTITY AAAA SYSTEM "file:///etc/passwd"> ]>
 
<!--
 
# The payload should be URL encoded before delivered to the application
 
# Step 4: Submit the request to the server.
 
# Step 5: Refresh your browser to view the new Best Practice that was created. The following image 
# displays that the request was successfully processed by the server and a new Best Practice was 
# created. The contents of the requested file "/etc/passwd" is saved as the name of the "Best Practice query". 
 
# 3. Solution:
# Reconfigure the XML processor to use a local static DTD and disallow any declared DTD included in 
# the XML document. Another solution is to explicitly disable External XML Entities in the parser of 
# the application.


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    23 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close