Vulnerable Scenario: your service takes in XML as input, and respond the content from the input (usually on error to indicate some parameter value).
Because XML has a DOCTYPE for variable replacement, you can easily define a variable to be replaced in the XML. For example, to define a variable myVar = "hello"
<!DOCTYPE Query [ <!ENTITY myVar "hello" > ]>
This can be further extended to read a file on your disk for the content and assign it to the variable:
<!DOCTYPE MySearchKeyword [ <!ENTITY myVar SYSTEM "file:///etc/passwd" > ]>
The attack: combine file reading with your XML input:
<?xml version='1.0' encoding='ISO-8859-1'?><!DOCTYPE Query [ <!ENTITY myVar SYSTEM "file:///etc/passwd" > ]> <Search>&myVar;</Search>
After our server will take the content inside <Search> to search (which is your passwd file), and it will respond with the file content to the client.
Solution:
- Disable DTD feature in XML.
No comments:
Post a Comment