02 Feb Security Advisory – SOS-15-002 – XML External Entity Injection (XXE)
Release Date: 02-Feb-2015
Last Update: –
Vendor Notification Date: 20-Jan-2015
Product: Splendid CRM Community Edition
Affected versions: All versions prior to 9.0.5478
Severity Rating: Medium
Impact: Local file system access
Attack Vector: Remote with authentication
Solution Status: Vendor update
CVE reference: –
Importing an XML file that contains an XML external entity to the Splendid CRM application permits an attacker to retrieve a local file from the web server. The attacker must be authenticated to the administrative interface. An XML External Entity attack is an attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity such as a local file on the web server. Common targets include configuration files, e.g. ASP.NET web.config or Linux password files, e.g. /etc/shadow.
Please refer to the PDF version of this advisory for proof of concept code examples.
Update to the latest version.
Nathaniel Carew from Sense of Security Labs.