AOH :: HP Unsorted N :: VA2833.HTM

NextApp Echo XML Injection Vulnerability



SEC Consult SA-20090305-0 :: NextApp Echo XML Injection Vulnerability
SEC Consult SA-20090305-0 :: NextApp Echo XML Injection Vulnerability



SEC Consult Security Advisory < 20090305-0 >
=======================================================================                  title: NextApp Echo XML Injection Vulnerability
                program: NextApp Echo
     vulnerable version: Echo2 < 2.1.1
homepage: http://echo.nextapp.com/site/echo2 
                  found: Feb. 2008
                     by: Anonymous / SEC Consult Vulnerability Lab
         permanent link:
http://www.sec-consult.com/files/20090305-0_echo_nextapp_xml_injection.txt 
=======================================================================
Vendor description:
-------------------

Echo is a platform for building web-based applications that approach the
capabilities of rich clients. The applications are developed using a
component-oriented and event-driven API, eliminating the need to deal
with the "page-based" nature of browsers. To the developer, Echo works
just like a user interface toolkit.

Vulnerability overview:
-----------------------

Unverified XML Data is passed from the client (Webbrowser) to the
NextApp Echo Engine  and consequently to an underlying XML Parser. This
leading to a typical XML Injection scenario.

Vulnerability description:
--------------------------

All XML requests for the framework are created by javascript and than
sent to the Server via POST HTTP requests. 

A typical requests would look like the following:

---cut here---
xmlns="http://www.nextapp.com/products/echo2/climsg" 
trans-id="3" focus="c_25">aa
---cut here---

By manipulating the POST content it is possible to inject arbitrary XML
declarations- and tags.

Proof of concept:
-----------------

The following entity declaration would create a new XML entity with the
content of the boot.ini file which can be referenced in the following
XML request content:

---cut here---
]>
---cut here---

Vulnerable versions:
--------------------
NextApp Echo v2.1.0.rc2


Vendor contact timeline:
------------------------
2009/02/16: Vendor notified via email
2009/02/24: Patch available


Patch:
-----------------

The vendor has released an update which addresses the vulnerability. The
update can be downloaded at:

http://echo.nextapp.com/site/node/5742 

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com 

# EOF SEC Consult Vulnerability Lab / @2009


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.