Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability
Title: Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability
Advisory ID: ZSL-2016-5301
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, DoS
Risk: (4/5)
Release Date: 30.01.2016
Java/1.8.0_66
Apache-Coyote/1.1
[05.12.2015] Contact with the vendor.
[07.12.2015] Vendor responds asking more details.
[07.12.2015] Sent details to the vendor.
[07.12.2015] Vendor acknowledges the vulnerabilities scheduling patch release timeframe.
[18.12.2015] Vendor fixed the vulnerabilities instructing customers to update.
[29.01.2016] Vendor released security notice and version 10.1.2, 7.9.11 and 7.8.12 to address these issues.
[30.01.2016] Coordinated public security advisory released.
[2] http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
[3] http://www.onehippo.org/about/release-notes/7_9/7.9.11-release-notes.html
[4] http://www.onehippo.org/about/release-notes/7_8/7.8.12-release-notes.html
[5] https://cxsecurity.com/issue/WLB-2016010225
[6] https://packetstormsecurity.com/files/135519
[7] https://www.exploit-db.com/exploits/39391/
[8] https://exchange.xforce.ibmcloud.com/vulnerabilities/110381
[31.01.2016] - Added reference [5] and [6]
[01.02.2016] - Added reference [7]
[05.02.2016] - Added reference [8]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5301
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, DoS
Risk: (4/5)
Release Date: 30.01.2016
Summary
Hippo CMS is an open source Java CMS. We built it so you can easily integrate it into your existing architecture.Description
XXE (XML External Entity) processing through upload of SVG images in the CMS, and through XML import in the CMS Console application.Vendor
Hippo B.V. - http://www.onehippo.orgAffected Version
10.1, 7.9 and 7.8 (Enterprise Edition)Tested On
Linux 2.6.32-5-xen-amd64Java/1.8.0_66
Apache-Coyote/1.1
Vendor Status
[04.12.2015] Vulnerability discovered.[05.12.2015] Contact with the vendor.
[07.12.2015] Vendor responds asking more details.
[07.12.2015] Sent details to the vendor.
[07.12.2015] Vendor acknowledges the vulnerabilities scheduling patch release timeframe.
[18.12.2015] Vendor fixed the vulnerabilities instructing customers to update.
[29.01.2016] Vendor released security notice and version 10.1.2, 7.9.11 and 7.8.12 to address these issues.
[30.01.2016] Coordinated public security advisory released.
PoC
hippocms_xxe.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.onehippo.org/security-issues-list/security-12.html[2] http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
[3] http://www.onehippo.org/about/release-notes/7_9/7.9.11-release-notes.html
[4] http://www.onehippo.org/about/release-notes/7_8/7.8.12-release-notes.html
[5] https://cxsecurity.com/issue/WLB-2016010225
[6] https://packetstormsecurity.com/files/135519
[7] https://www.exploit-db.com/exploits/39391/
[8] https://exchange.xforce.ibmcloud.com/vulnerabilities/110381
Changelog
[30.01.2016] - Initial release[31.01.2016] - Added reference [5] and [6]
[01.02.2016] - Added reference [7]
[05.02.2016] - Added reference [8]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk