Is XXE possible in a file upload with .docx files?
Asked
Active
Viewed 2,360 times
1 Answers
4
In an XXE attack, the attacker sends XML including an external entity referencing some secret file or resource on the server. For this to be useful to the attacker, the server needs to include the external entity, and then either (a) return potentially secret data in the response, or (b) have some kind of side effect. The point here is that for an XXE attack to work, there needs to be something parsing the XML. The vulnerability is in how that parser is configured to behave.
A .docx file does indeed contian lots of (zipped) XML. So what does this mean for the case of a file upload?
For the server, it depends on how it treat the file. If it doesn't unzip it and parse the XML, to the server your docx file is just an octet stream like any other. XXE will not have any impact on the server. On the other hand, if there is e.g. a poorly written sanitizing function of some sort that inspects the content of the file, it could be vulnerable.
For the user downloading the file, they are most likely to open it in Microsoft Word. So to succesfully attack the client you would need a vulnerability Microsoft Office. Who knows what is out there, but I think that it would be considered a pretty big deal if you could find one.
Anders
- 64,406
- 24
- 178
- 215