• Register
    • Help

    striker  0 Items
    Currently Supporting
    • Home
    • News
    • Forum
    • Wiki
    • Support
      • Manage Subscriptions
      • FAQ
      • Support For
        • VaultWiki 4.x Series
        • VaultWiki.org Site
    • What's New?
    • Buy Now
    • Manual
    • 
    • Support
    • VaultWiki 4.x Series
    • Task
    • Check for XML XXE/XEE Vulnerabilities

    1. Welcome to VaultWiki.org, home of the wiki add-on for vBulletin and XenForo!

      VaultWiki allows your existing forum users to collaborate on creating and managing a site's content pages. VaultWiki is a fully-featured and fully-supported wiki solution for vBulletin and XenForo.

      The VaultWiki Team encourages you to join our community of forum administrators and check out VaultWiki for yourself.

    Issue: Check for XML XXE/XEE Vulnerabilities

    • Issue Tools
      • View Changes
    1. issueid=3913 August 12, 2014 3:10 PM
      pegasus pegasus is offline
      VaultWiki Team
      Check for XML XXE/XEE Vulnerabilities

      Check that VaultWiki 4 is not vulnerable to XXE and XEE attacks. While VaultWiki only uses XML for responses from whitelisted sites (e.g. PayPal) and for upgrade XML files, should VaultWiki implement an RSS importer in the future (technically it's a regression of a VaultWiki 3 feature), then this possibile vulnerability needs to first be addressed.
    Issue Details
    Issue Number 3913
    Issue Type Task
    Project VaultWiki 4.x Series
    Category Permissions / Security
    Status Completed
    Priority 1 - Security / Login / Data Loss
    Target Version 4.0.0 RC 1
    Resolved Version (none)
    Milestone VaultWiki 4.0 Gold
    Software DependencyAny
    License TypePaid
    Votes to perform 0
    Votes not to perform 0
    Attachments 0
    Assigned Users (none)
    Tags (none)




    1. August 13, 2014 5:00 PM
      pegasus pegasus is offline
      VaultWiki Team
      VaultWiki is not vulnerable. Since VaultWiki automatically wraps incoming XML in a fake root element (originally designed to make traversing the DOM consistent with vBulletin 3 behavior), this makes any embedded entity definitions become invalid and the parser exits due to the XML being invalid.
      Reply Reply  
    + Reply

    Assigned Users
    Loading Please Wait
    Tags
    Loading Please Wait
    • Contact Us
    • License Agreement
    • Privacy
    • Terms
    • Top
    All times are GMT -4. The time now is 11:32 PM.
    This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Learn more… Accept Remind me later
  • striker
    Powered by vBulletin® Version 4.2.5 Beta 2
    Copyright © 2023 vBulletin Solutions Inc. All rights reserved.
    Search Engine Optimisation provided by DragonByte SEO (Pro) - vBulletin Mods & Addons Copyright © 2023 DragonByte Technologies Ltd.
    Copyright © 2008 - 2013 VaultWiki Team, Cracked Egg Studios, LLC.