In this Section

Sense of Security – Security Advisory – SOS-19-001 – XML External Entities Injection (XXE) in XNAT 1.7

SOS-19-001

Sense of Security – Security Advisory – SOS-19-001

Release Date. 23-Oct-2019
Last Update.
Vendor Notification Date. 09-July-2019
Product. XNAT
Platform. Linux and possibly others
Affected versions. 1.7.5.3 (confirmed) and possibly earlier versions
Severity Rating. High
Impact. System Access
Attack Vector. Remote with authentication
Solution Status. XNAT 1.7.5.4 Hotfix Release
CVE reference. CVE – 2019-14276

Details

An XML External Entity (XXE) vulnerability is an attack against an application that parses XML input. Importing an XML file that contains an XML external entity to the XNAT application permits an attacker to retrieve a local file from the web server. The attacker must be authenticated to the application. This attack occurs when XML input contains a reference to an external entity such as a local file on the web server. Common targets include configuration files, e.g. ASP.NET web.config or Linux password files, e.g. /etc/shadow.

The following URL is affected:

  • /REST/search

Please refer to the PDF version of this advisory for proof of concept code examples.

Solution

Apply patch from XNAT 1.7.5.4 Hotfix Release.

Additional information is available at:

https://wiki.xnat.org/news/blog/2019/08/xnat-1-7-5-4-hotfix-release-now-available

https://wiki.xnat.org/documentation/getting-started-with-xnat/what-s-new-in-xnat/xnat-1-7-5-4-release-notes

Discovered By

Hamed Merati from Sense of Security Labs.