CVE-2017-8110
📋 TL;DR
This vulnerability allows attackers to perform XML External Entity (XXE) attacks through the modified eCommerce Shopsoftware API. Attackers can read arbitrary files from the server, potentially including sensitive configuration files and credentials. All installations running the affected version are vulnerable.
💻 Affected Systems
- modified eCommerce Shopsoftware
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file disclosure of sensitive data like database credentials, followed by data exfiltration or further system exploitation.
Likely Case
Unauthorized access to server files including configuration files, source code, and potentially sensitive customer data stored on the filesystem.
If Mitigated
Limited impact if XML parsing is disabled or properly configured to reject external entities.
🎯 Exploit Status
Public exploit details available in referenced blog posts. XXE attacks are well-documented and relatively easy to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Later versions after 2.0.2.2 rev 10690
Vendor Advisory: Not available in provided references
Restart Required: No
Instructions:
1. Update to the latest version of modified eCommerce Shopsoftware. 2. Verify the api/it-recht-kanzlei/api-it-recht-kanzlei.php file has been patched. 3. Test the API endpoint with XXE payloads to confirm fix.
🔧 Temporary Workarounds
Disable vulnerable endpoint
linuxTemporarily disable or restrict access to the vulnerable API endpoint
mv /path/to/api/it-recht-kanzlei/api-it-recht-kanzlei.php /path/to/api/it-recht-kanzlei/api-it-recht-kanzlei.php.disabled
chmod 000 /path/to/api/it-recht-kanzlei/api-it-recht-kanzlei.php
Configure PHP to disable external entities
allModify PHP configuration to disable XML external entity processing
Add 'libxml_disable_entity_loader(true);' at the beginning of the vulnerable PHP file
🧯 If You Can't Patch
- Implement WAF rules to block XXE patterns in API requests
- Restrict network access to the vulnerable endpoint using firewall rules
🔍 How to Verify
Check if Vulnerable:
Test the endpoint with a simple XXE payload: curl -X POST 'http://target/api/it-recht-kanzlei/api-it-recht-kanzlei.php' --data '<?xml version="1.0"?><!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>'Check Version:
Check the software version in admin panel or look for version files in installation directoryVerify Fix Applied:
Attempt the same XXE payload after patching - should return error or empty response instead of file contents📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to api/it-recht-kanzlei/api-it-recht-kanzlei.php with XML content
- Error logs showing XML parsing failures with external entity references
Network Indicators:
- HTTP POST requests containing XML with DOCTYPE declarations and SYSTEM entities
- Unusual file read patterns from web server process
SIEM Query:
source="web_logs" AND uri="/api/it-recht-kanzlei/api-it-recht-kanzlei.php" AND (request_body CONTAINS "<!ENTITY" OR request_body CONTAINS "SYSTEM")