what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

NextApp Echo XML Injection

NextApp Echo XML Injection
Posted Mar 10, 2009
Site sec-consult.com

SEC Consult Security Advisory 20090305-0 - NextApp Echo2 versions below 2.1.1 suffer from a XML injection vulnerability.

tags | exploit, xxe
SHA-256 | e364a88c2cc90f61eeb02c0e5b44a6ff6992024991a758fa3a4903a2fe77a6b5

NextApp Echo XML Injection

Change Mirror Download
SEC Consult Security Advisory < 20090305-0 >
========================================================================
title: NextApp Echo XML Injection Vulnerability
program: NextApp Echo
vulnerable version: Echo2 < 2.1.1
homepage: http://echo.nextapp.com/site/echo2
found: Feb. 2008
by: Anonymous / SEC Consult Vulnerability Lab
permanent link:
http://www.sec-consult.com/files/20090305-0_echo_nextapp_xml_injection.txt
========================================================================

Vendor description:
-------------------

Echo is a platform for building web-based applications that approach the
capabilities of rich clients. The applications are developed using a
component-oriented and event-driven API, eliminating the need to deal
with the "page-based" nature of browsers. To the developer, Echo works
just like a user interface toolkit.

Vulnerability overview:
-----------------------

Unverified XML Data is passed from the client (Webbrowser) to the
NextApp Echo Engine and consequently to an underlying XML Parser. This
leading to a typical XML Injection scenario.

Vulnerability description:
--------------------------

All XML requests for the framework are created by javascript and than
sent to the Server via POST HTTP requests.

A typical requests would look like the following:

---cut here---
<client-message xmlns="http://www.nextapp.com/products/echo2/climsg"
trans-id="3" focus="c_25"><message-part xmlns=""
processor="EchoPropertyUpdate"><property component-id="c_25"
name="text">aa</property><property component-id="c_25"
name="horizontalScroll" value="0"/><property component-id="c_25"
name="verticalScroll" value="0"/></message-part><message-part xmlns=""
processor="EchoAction"><action component-id="c_25"
name="action"/></message-part></client-message>
---cut here---

By manipulating the POST content it is possible to inject arbitrary XML
declarations- and tags.

Proof of concept:
-----------------

The following entity declaration would create a new XML entity with the
content of the boot.ini file which can be referenced in the following
XML request content:

---cut here---
<?xml version="1.0"?><!DOCTYPE sec [<!ELEMENT sec ANY><!ENTITY
mytestentity SYSTEM "file:///c:\boot.ini">]>
---cut here---

Vulnerable versions:
--------------------
NextApp Echo v2.1.0.rc2


Vendor contact timeline:
------------------------
2009/02/16: Vendor notified via email
2009/02/24: Patch available


Patch:
-----------------

The vendor has released an update which addresses the vulnerability. The
update can be downloaded at:

http://echo.nextapp.com/site/node/5742

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

# EOF SEC Consult Vulnerability Lab / @2009
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close