NextApp Echo XML Injection

Type packetstorm
Modified 2009-03-10T00:00:00


                                            `SEC Consult Security Advisory < 20090305-0 >  
title: NextApp Echo XML Injection Vulnerability  
program: NextApp Echo  
vulnerable version: Echo2 < 2.1.1  
found: Feb. 2008  
by: Anonymous / SEC Consult Vulnerability Lab  
permanent link:  
Vendor description:  
Echo is a platform for building web-based applications that approach the  
capabilities of rich clients. The applications are developed using a  
component-oriented and event-driven API, eliminating the need to deal  
with the "page-based" nature of browsers. To the developer, Echo works  
just like a user interface toolkit.  
Vulnerability overview:  
Unverified XML Data is passed from the client (Webbrowser) to the  
NextApp Echo Engine and consequently to an underlying XML Parser. This  
leading to a typical XML Injection scenario.  
Vulnerability description:  
All XML requests for the framework are created by javascript and than  
sent to the Server via POST HTTP requests.   
A typical requests would look like the following:  
---cut here---  
<client-message xmlns=""  
trans-id="3" focus="c_25"><message-part xmlns=""  
processor="EchoPropertyUpdate"><property component-id="c_25"  
name="text">aa</property><property component-id="c_25"  
name="horizontalScroll" value="0"/><property component-id="c_25"  
name="verticalScroll" value="0"/></message-part><message-part xmlns=""  
processor="EchoAction"><action component-id="c_25"  
---cut here---  
By manipulating the POST content it is possible to inject arbitrary XML  
declarations- and tags.  
Proof of concept:  
The following entity declaration would create a new XML entity with the  
content of the boot.ini file which can be referenced in the following  
XML request content:  
---cut here---  
<?xml version="1.0"?><!DOCTYPE sec [<!ELEMENT sec ANY><!ENTITY  
mytestentity SYSTEM "file:///c:\boot.ini">]>  
---cut here---  
Vulnerable versions:  
NextApp Echo v2.1.0.rc2  
Vendor contact timeline:  
2009/02/16: Vendor notified via email  
2009/02/24: Patch available  
The vendor has released an update which addresses the vulnerability. The  
update can be downloaded at:  
SEC Consult Unternehmensberatung GmbH  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
# EOF SEC Consult Vulnerability Lab / @2009