Date: 2014-03-13
Alfresco's internal security testing revealed a number of security issues. We have no evidence that these are being exploited in the wild, but we recommend users upgrade to the latest releases of Alfresco, such as Community Edition 4.2.f.
Severity: High
Exploitable: Remotely by authenticated users
Related Issues: MNT-10539
Affects: Alfresco 3.x before 3.4.13.5, Alfresco 4.0.x before 4.0.2.44, Alfresco 4.1.x before 4.1.7.3, and Alfresco 4.2.x before 4.2.0.3 and
Fixed in: 3.4.14, 4.1.8. 4.2.1, 4.2.f, with hotfixes available for other supported versions.
XML documents may contain embedded document type definitions that contain references to external XML entities (XML External Entity / XEE). When parsing an external entity, an XML parser will attempt to fetch the entity from the URI specified in the entity definition.
Using external entities, it is possible to form a document type definition that will cause the parser to execute a series of remote calls (over HTTP or FTP) that can include the content of files or directory listings from the repository server.
This vulnerability could be exploited in a number of ways, since there are many places in Alfresco where externally-provided XML documents are parsed for various reasons. Some of these are in Alfresco’s own code, and some are in third-party libraries used by Alfresco such as Apache POI. The solution that has been developed by Alfresco closes this vulnerability in all code that makes up the Alfresco product, including any occurrences in third-party libraries used by Alfresco.
Here is a small XML document that would result in an external file being retrieved when parsed:
In this case, the retrieved file could itself contain further external entities that the parser would continue to resolve. The fact that FTP URLs can be used opens up the potential for information to be sent from the local server to the malicious server.
One way to demonstrate this vulnerability is to include the XML above in the payload of a WebDAV request to Alfresco such as a simple LOCK request (with a valid hostname substituted for “malicious.example.com”). Prior to the fix, monitoring network traffic will show that a GET request is made from the Alfresco server to the “malicious” server when the request is parsed. After the fix is applied, this is no longer the case.
It’s important to note that this vulnerability is due to the way XML parsers work in order to conform to the XML specification - it is not specific to Alfresco. Customers are advised to check other software systems that they have deployed in which externally-provided XML files (including Microsoft Office files such as “.docx” and “.xlsx”) may be parsed.
This vulnerability can be remediated on existing Alfresco installations with an AMP available through Maven, using this artifact reference:
<dependency>
<groupId>org.alfresco</groupId>
<artifactId>alfresco-xmlfactorypatch</artifactId>
<version>1.0</version>
<type>amp</type>
</dependency>
Severity: High
Exploitable: Remotely by authenticated users
Related Issues: MNT-10540
Affects: Alfresco 3.x before 3.4.13.5, Alfresco 4.0.x before 4.0.2.44, Alfresco 4.1.x before 4.1.7.3, and Alfresco 4.2.x before 4.2.0.3 and 4.2.e.
Fixed in: 3.4.14, 4.1.8. 4.2.1, 4.2.f, with hotfixes available for other supported versions.
There were a few places in the Share application where the JSON object used to hold a user’s preferences was being evaluated. If an attacker was able to hijack an authenticated user's session, they would be able to write JSON into that user's preferences which would then cause malicious code to be executed in the browser when the user subsequently logged in.
One example of this happening in the Share code was in the “updateRecentSites” function in the file 'share-header.lib.js'. This function makes a remote call to retrieve the logged-in user’s preferences from the repository, and the JSON returned by that call was being evaluated, thereby executing the malicious code.