The Bulk Import feature at http://127.0.0.1:9090/app/bulkproducts is vulnerable to XML External Entity attack.
This can be easily exploited by supplying an input like the one below
<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY bar SYSTEM "file:///etc/passwd" >]>
<products>
<product>
<name>Playstation 4</name>
<code>274</code>
<tags>gaming console</tags>
<description>&bar;</description>
</product>
</products>The resulting product's description will have the contents of /etc/passwd
Vulnerable Code snippet
core/appHandler.js
...
module.exports.bulkProducts = function(req, res) {
if (req.files.products && req.files.products.mimetype=='text/xml'){
var products = libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:true,noblanks:true})
...
Solution
The XML parsing library used is libxmljs which allows for parsing external entities. We can disable parsing of external entities by modifying the flag value noent to false.
core/appHandler.js
...
module.exports.bulkProducts = function(req, res) {
if (req.files.products && req.files.products.mimetype=='text/xml'){
var products = libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:false,noblanks:true})
...
Fixes
Implemented in the following file
- core/appHandler.js
The fix has been implemented in this commit
Recommendation
- Ensure that External entity parsing is disabled
- If parsing is absoutely required, then validate the data before parsing
Reference