This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 30271 - Blind XXE vulnerability (SSRF, Out-of-band)
Summary: Blind XXE vulnerability (SSRF, Out-of-band)
Alias: None
Product: Validator
Classification: Unclassified
Component: check (show other bugs)
Version: HEAD
Hardware: PC Windows NT
: P2 critical
Target Milestone: ---
Deadline: 2018-07-31
Assignee: This bug has no owner yet - up for the taking
QA Contact: qa-dev tracking
Depends on:
Reported: 2018-06-30 06:43 UTC by daeladus
Modified: 2018-09-06 14:28 UTC (History)
0 users

See Also:

Payload + received requests at my server (124.63 KB, application/x-zip-compressed)
2018-06-30 06:43 UTC, daeladus

Description daeladus 2018-06-30 06:43:11 UTC
Created attachment 1691 [details]
Payload + received requests at my server

Hi guys,

while testing for an XXE attack at an internal penetration test, I used the w3c xml validator to simply check for validity of my PoC xml.

Since I used an internal IP address in the payload and w3c validator seems to react slow during validation, I tried this with an URL under my control (Burp Suite Collaborator Tool).

DNS as well as HTTP requests are sent to my server after submitting the form. 
You get 2 screenshots attached:

- one shows the PoC XXE payload on the validator website.
- second shows HTTP and DNS requests coming from your servers to my server.

Please fix this asap since it's a very critical issue. This PoC is quite boring but could be exploited easily to do various attack (file read, using w3c as an attacker proxy and a lot more).

Comment 1 daeladus 2018-09-06 14:28:05 UTC
Well, someone fixed it. No response, but least the vuln is gone.