XXE vulnerability in PWM

[GoogleCodeExporter]

Hello PWM team,

An XML eXternal Entity vulnerability (XXE) is present in PWM "Configuration 
Editor".

XXE vulnerability is present in the "Configuration Editor" menu when uploading 
PWM configuration file in XML format. (test with PWM 1.7.1 built 1232).

To do this, attacker needs access to the "Configuration Editor", then loads a 
modified XML file. (please see screen 01, 02, 03 and 04 attached).
It is possible to use XML entities to read any file on the file system (in the 
example /etc/passwd).

He just needs to see the menu page displaying data (in example : "change 
password email pattern"), like in screen 05.

XXE vulnerabilities are detailed here :
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

I'm waiting for your feedback and for a potential PWM security patch.

Sincerely,

Original issue reported on code.google.com by yann.cam on 10 Nov 2014 at 9:10

Attachments:

• 20141105-PWM_XXE_001.png
• 20141105-PWM_XXE_002.png
• 20141105-PWM_XXE_003.png
• 20141105-PWM_XXE_004.png
• 20141105-PWM_XXE_005.png

[GoogleCodeExporter]

Thank you for the notification. We will discuss this. 

As far as I can see now, this is not a critical threat in most cases as this 
can only be done by an administrator. Nevertheless, I can understand the 
concerns in cases where the PWM administrator should not have access to the OS.

Original comment by menno.pi...@gmail.com on 10 Nov 2014 at 9:18

• Changed state: Accepted
• Added labels: Type-Defect
• Removed labels: Type-Help