Sybase EAServer XXE Injection

2013.08.12
Credit: MustLive
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Hello! I'll give you additional information concerning advisory SEC Consult SA-20130719-0 :: Multiple vulnerabilities in Sybase EAServer (http://securityvulns.ru/docs29622.html). It's about XXE Injection in Sybase EAServer. Among vulnerabilities in EAServer there is XXE Injection and it was only mentioned about local file inclusion and directory listing attack vector. But this XXE Injection vulnerability also allows to conduct attacks on other sites. So I'll supplement SEC Consult's advisory and will bring your attention to another attack vector. I wrote about such attacks in my 2012's article "Using XML External Entities (XXE) for attacks on other sites" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-August/008481.html) and 2013's "Using XXE vulnerabilities for attacks on other sites" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-August/008887.html). As I described in my articles, XXE vulnerabilities can be used for conducting CSRF and DoS attacks on other sites (and at using multiple web sites it's possible to conduct DDoS attacks). And last month I released a tool for conducting such attacks - in DAVOSET v.1.1.2 I added support of XML requests for XXE vulnerabilities. XXE (WASC-43): For the attack it's needed to send the next XML data in POST request. <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://site/page">]> <lol> <dt> <stringValue>&xxe;</stringValue> <booleanValue>0</booleanValue> </dt> </lol> So all servers with affected versions of Sybase EAServer can be used for attacks on other sites via XXE. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

References:

http://securityvulns.ru/docs29622.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top