{"vuid":"VU#303900","idnumber":"303900","name":"SAP Sybase Adaptive Server Enterprise vulnerable to XML injection","keywords":["Sybase","ASE","server","XXE","XML","SQL","information disclosure","CWE-91"],"overview":"SAP Sybase Adaptive Server Enterprise Version 15.7 ESD 2 and possibly earlier versions contains an XML injection vulnerability (CWE-91).","clean_desc":"CWE-611: Improper Restriction of XML External Entity Reference ('XXE')\nSAP Sybase Adaptive Server Enterprise (ASE) Version 15.7 ESD 2 contains an XML injection vulnerability, which can lead to information exposure. This is due to the expanded use of XML External Entity (XXE) Processing. The XMLParse procedure is vulnerable to attack. Using a specially crafted SQL request, an authenticated attacker may be able to read files with the permissions of the user running the ASE application. For example, the attacker can read the /etc/passwd file of the server using the following SQL query: SELECT xmlextract('/', xmlparse('<?xml version=\"1.0\" standalone=\"yes\"?><!DOCTYPE content [ <!ENTITY abc SYSTEM \"/etc/passwd\">]><content>&abc;</content>'))","impact":"An authenticated attacker may be able to use the vulnerabilities to read user credentials. This may be used to obtain unauthorized administrative or privileged access to the system.","resolution":"Apply an Update\nSAP has released a patch on the Sybase downloads page. If an update cannot be applied, please consider the following workaround.","workarounds":"Disable XXE\nBy disabling the external general entities feature of the SAXParserFactory used to parse the XML within Java code, the attacker cannot successfully make these requests. More details can be found on the OWASP XML External Entity (XXE) Processing page.","sysaffected":"","thanks":"Thanks to Igor Bulatenko for reporting this vulnerability.","author":"This document was written by Adam Rauf.","public":["http://cwe.mitre.org/data/definitions/611.html","http://www.sybase.com/products/databasemanagement/adaptiveserverenterprise"],"cveids":["CVE-2013-6025"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2012-12-28T13:06:56Z","publicdate":"2013-10-01T00:00:00Z","datefirstpublished":"2013-10-17T12:51:34Z","dateupdated":"2013-12-05T22:06:48Z","revision":30,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"A","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"N","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"2.3","cvss_basevector":"AV:A/AC:M/Au:S/C:P/I:N/A:N","cvss_temporalscore":"1.8","cvss_environmentalscore":"1.3694984935128","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}