Last week I received this email message from Charlie Briggs:
He explains the exploit very well.
Hi there,
I am emailing to notify that the Advanced XML Reader plugin published here: http://ww.wp.xz.cn/extend/plugins/advanced-xml-reader/ is susceptible to XXE (XML eXternal Entity) processing attacks. After installing your plugin on a Windows machine, I created a text file in the root of C:\ named “test.txt”, which contained the text “This is a test file”. I then crafted an XML file named “test2.xml” which consisted of the following:
<?xml version=”1.0″ encoding=”utf-8″?>
<!DOCTYPE foo [
<!ELEMENT test ANY >
<!ENTITY xxe SYSTEM “file:///c:/test.txt” >]>
<doc>
<test>Contents of C:\test.txt: &xxe;</test>
</doc>
As you can see, this XML document attempts to load “test.txt” into the entity &xee. Upon uploading this file to dropbox (http://dl.dropboxusercontent.com/u/5022066/test2.xml), I proceeded to enter the address into the field on the plugin page and saved the settings (see screenshot). This gave me the tag to use: [advanced-xml tag=”test”]
Following this, I created a new post with the short tag, and the contents of the post once saved was “Contents of C:\test.txt: This is a test file”, indicating that reading a file was possible (see screenshot).
Theoretically, should an attacker be able to obtain the privileges needed to update the settings and create a post, he or she could potentially exploit this vulnerability to read system files, such as /etc/passwd on a Linux server. Also, using PHP wrappers, it is possible to load the wp-config.php file, using this:
<!ENTITY xxe SYSTEM “php://filter/read=convert.base64-encode/resource=file:///c:/htdocs/wordpress/wp-config.php” >]>
This encodes the file into Base64 (see screenshot), which can then be decoded via a service such as http://www.base64decode.org/ to the plaintext of the WordPress configuration file.
Kind regards,
-Charlie Briggs.
Will you be updating the plugin to correct this issue?
Unfortunately not. The plugin is a bit old and I don’t have the time to work on it.
I was just looking for a way to delete the plugin (at least from the search results, to prevent people using it). Because it’s definitely not save to use this plugin.
You need to contact plugins [at] ww.wp.xz.cn asap. If you flag the email with a subject along the lines of “Request to remove plugin: known security issue”, the plugin team should (hopefully) remove the plugin from the Repo as fast as they can. I’ve also tagged this topic for their attention.
I removed the plugin from the listings for you.
Thanks for the fast response!
