Sybase EAServer XML External Entity (XXE) Arbitrary File Disclosure

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Sybase install is affected by an arbitrary file disclosure
vulnerability.

Description :

The remote Sybase EAServer install is affected by an arbitrary file
disclosure vulnerability. It is possible to view any file on the system
by utilizing XML external entity injection in specially crafted XML data
sent to the REST service on the remote host.

Note that hosts that are affected by this vulnerability are potentially
affected by other vulnerabilities that Nessus has not tested for.

See also :

http://www.nessus.org/u?a6e04211
http://www.sybase.com/detail?id=1099353

Solution :

Apply the appropriate patch per the vendor's advisory.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N)
CVSS Temporal Score : 6.1
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 69171 ()

Bugtraq ID: 60614
61358

CVE ID: