Select the search type
  • Site
  • Web
Search
You are here:  Support/Forums
Support

Bring2mind Forums

XML external entity injection threat
Last Post 03/05/2019 1:39 PM by Peter Donker. 1 Replies.
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages
Mark Darty
New Member
New Member
Posts:3


--
05/06/2016 8:03 PM


Our organization has been tasked with scanning all of our in-house and third-party software for security threats using the Acunetix auditing tool. 4 of our sites run DNN with the DMX module and a recent scan has uncovered the following vulnerability:




--------------------------------- Begin scan results -----------------------------------

Alert details

XML external entity injection

Severity High

Type Configuration

Reported by module Scripting (XML_External_Entity_Injection.script)

Description

XML supports a facility known as "external entities", which instruct an XML processor to retrieve and perform an inline
include of XML located at a particular URI. An external XML entity can be used to append or modify the document type
declaration (DTD) associated with an XML document. An external XML entity can also be used to include XML within the
content of an XML document.

Now assume that the XML processor parses data originating from a source under attacker control. Most of the time the
processor will not be validating, but it MAY include the replacement text thus initiating an unexpected file open operation,
or HTTP transfer, or whatever system ids the XML processor knows how to access.

below is a sample XML document that will use this functionality to include the contents of a local file (/etc/passwd)

?xml version="1.0" encoding="utf-8"?>

!DOCTYPE acunetix [

!ENTITY acunetixent SYSTEM "file:///etc/passwd">

]>

xxx>&acunetixent;/xxx>

Impact

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using
file: schemes or relative paths in the system identifier. Since the attack occurs relative to the application processing the
XML document, an attacker may use this trusted application to pivot to other internal systems, possibly disclosing other
internal content via http(s) requests.

Recommendation

If possible it's recommended to disable parsing of XML external entities.

--------------------------------- End scan results -----------------------------------




Is there an update or workaround available for this threat?




DNN Version: 07.04.02 (216)

DMX Version: 6.1.13




Thanks

Peter Donker
Veteran Member
Veteran Member
Posts:4536


--
03/05/2019 1:39 PM
I can't tell how this attack vector would play out. Which XML file is being referred to that is being processed? Note that only host users can edit any active files on the site, but a host user is considered trusted for that server. Please contact me by email if you have more specifics.
You are not authorized to post a reply.