CVE-2009-5135

Echo < 2.1.1 and 3.x < 3.0.b6 - XML External Entity Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-5135. PoCs published by SEC Consult.

AI-analyzed exploit summary The advisory details an XML injection vulnerability in NextApp Echo < 2.1.1, where unverified XML data from the client is processed by the server's XML parser. The PoC demonstrates entity declaration injection to read arbitrary files (e.g., boot.ini).

Description

The Java XML parser in Echo before 2.1.1 and 3.x before 3.0.b6 allows remote attackers to read arbitrary files via a request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Exploits (1)

exploitdb WRITEUP VERIFIED

by SEC Consult · textremotemultiple

https://www.exploit-db.com/exploits/8191

View Code ZIP pw:eip

The advisory details an XML injection vulnerability in NextApp Echo < 2.1.1, where unverified XML data from the client is processed by the server's XML parser. The PoC demonstrates entity declaration injection to read arbitrary files (e.g., boot.ini).

Classification

Writeup 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: NextApp Echo < 2.1.1

No auth needed

Prerequisites: Network access to the NextApp Echo server

MITRE ATT&CK