Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21470
HistoryMar 12, 2009 - 12:00 a.m.

SEC Consult SA-20090305-0 :: NextApp Echo XML Injection Vulnerability

2009-03-1200:00:00
vulners.com
19

SEC Consult Security Advisory < 20090305-0 >

              title: NextApp Echo XML Injection Vulnerability
            program: NextApp Echo
 vulnerable version: Echo2 &lt; 2.1.1
           homepage: http://echo.nextapp.com/site/echo2
              found: Feb. 2008
                 by: Anonymous / SEC Consult Vulnerability Lab
     permanent link:

http://www.sec-consult.com/files/20090305-0_echo_nextapp_xml_injection.txt

Vendor description:

Echo is a platform for building web-based applications that approach the
capabilities of rich clients. The applications are developed using a
component-oriented and event-driven API, eliminating the need to deal
with the "page-based" nature of browsers. To the developer, Echo works
just like a user interface toolkit.

Vulnerability overview:

Unverified XML Data is passed from the client (Webbrowser) to the
NextApp Echo Engine and consequently to an underlying XML Parser. This
leading to a typical XML Injection scenario.

Vulnerability description:

All XML requests for the framework are created by javascript and than
sent to the Server via POST HTTP requests.

A typical requests would look like the following:

—cut here—
<client-message xmlns="http://www.nextapp.com/products/echo2/climsg&quot;
trans-id="3" focus="c_25"><message-part xmlns=""
processor="EchoPropertyUpdate"><property component-id="c_25"
name="text">aa</property><property component-id="c_25"
name="horizontalScroll" value="0"/><property component-id="c_25"
name="verticalScroll" value="0"/></message-part><message-part xmlns=""
processor="EchoAction"><action component-id="c_25"
name="action"/></message-part></client-message>
—cut here—

By manipulating the POST content it is possible to inject arbitrary XML
declarations- and tags.

Proof of concept:

The following entity declaration would create a new XML entity with the
content of the boot.ini file which can be referenced in the following
XML request content:

—cut here—
<?xml version="1.0"?><!DOCTYPE sec [<!ELEMENT sec ANY><!ENTITY
mytestentity SYSTEM "file:///c:\boot.ini">]>
—cut here—

Vulnerable versions:

NextApp Echo v2.1.0.rc2

Vendor contact timeline:

2009/02/16: Vendor notified via email
2009/02/24: Patch available

Patch:

The vendor has released an update which addresses the vulnerability. The
update can be downloaded at:

http://echo.nextapp.com/site/node/5742

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

# EOF SEC Consult Vulnerability Lab / @2009