CandidATS, an open source Applicant Tracking System, is widely used by organizations to manage the recruitment process. Recently, a security vulnerability, CVE-2022-42745, has been discovered in CandidATS version 3... In this post, we will discuss how an external attacker might exploit this vulnerability to read arbitrary files from the server using an XML External Entity (XXE) attack.

Before delving into the details, let's first understand what XXE is and why it's considered dangerous.

What is XXE?
XML External Entity (XXE) refers to a specific type of XML injection attack, wherein an attacker can read sensitive data from a compromised system, execute remote commands, or conduct denial of service attacks. One common method for exploiting XXE vulnerabilities involves manipulating XML data such that it references an external entity that, when loaded by the application, grants the attacker unauthorized access to internal systems or data.

Now, let's explore how CVE-2022-42745 may be exploited in CandidATS 3...

Exploit Details

In CandidATS, the vulnerable code segment is present in a PHP file that processes XML input. An attacker can provide malicious XML input containing a reference to an external entity to read arbitrary files from the server.

To demonstrate this attack, consider the following XML payload

<!DOCTYPE root [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>

Here, the XML payload references an external entity pointing to /etc/passwd, a sensitive file on Unix-based systems containing user account information.

An attacker can then submit this payload to the vulnerable endpoint in CandidATS. When the application processes the XML input, it resolves the external entity and returns the contents of /etc/passwd in the response. This way, the attacker gains unauthorized access to sensitive server information.

To mitigate this vulnerability, it's essential to disable external entity loading in the XML parsing code. The developers of CandidATS have already released a patched version of the software to address this issue.

For more information on the CVE-2022-42745 vulnerability, consult the following resources

1. The official CVE record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42745
2. The National Vulnerability Database (NVD) entry: https://nvd.nist.gov/vuln/detail/CVE-2022-42745

Conclusion

CVE-2022-42745 highlights the importance of securing XML parsing operations in web applications, as failure to do so can lead to serious security breaches. By understanding how XXE attacks work, developers can take adequate precautions to prevent unauthorized access to sensitive server information.

In the case of CandidATS, the developers have addressed this vulnerability by patching the application in subsequent releases. However, CandidATS users should remain vigilant and ensure they run the latest version of the software to protect their systems from potential hackers.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/05/2022 00:32:00 UTC