02 Feb Security Advisory – SOS-15-002 – XML External Entity Injection (XXE)
Release Date: 02-Feb-2015
Last Update: –
Vendor Notification Date: 20-Jan-2015
Product: Splendid CRM Community Edition
Platform: –
Affected versions: All versions prior to 9.0.5478
Severity Rating: Medium
Impact: Local file system access
Attack Vector: Remote with authentication
Solution Status: Vendor update
CVE reference: –
Details
Importing an XML file that contains an XML external entity to the Splendid CRM application permits an attacker to retrieve a local file from the web server. The attacker must be authenticated to the administrative interface. An XML External Entity attack is an attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity such as a local file on the web server. Common targets include configuration files, e.g. ASP.NET web.config or Linux password files, e.g. /etc/shadow.
Please refer to the PDF version of this advisory for proof of concept code examples.
Solution
Update to the latest version.
Discovered By
Nathaniel Carew from Sense of Security Labs.
Sorry, the comment form is closed at this time.