The XML parser used to parse XML files (including XLSX) during import (“Import Records” action) does not prevent the use of external entities which allows an attacker to perform HTTP requests to arbitrary hosts, including internal ones, and in addition allows reading and exfiltrating the contents of arbitrary files, given they can be transported via a HTTP GET or included within a XML document without further encoding. and this write-up was only released after a patch was available (see timeline below).
The issue was privately disclosed to Claris, Inc. If you’re running FileMaker Server, make sure to install patch 19.4.1 to mitigate this attack vector. The following is a description of the vulnerability including potential exploitation paths. The vulnerability is/was indeed there and can lead to local file disclosure and server side request forgery in various components of the FileMaker platform.
CVE-2021-44147: XML External Entity Vulnerability in Claris FileMakerĪ couple of months ago I looked more deeply into the “Import Records” functionality in FileMaker, especially the XML parsing, and was wondering if any XXE vulnerability may exist and how one could exploit this in technically interesting ways.
0 kommentar(er)
