4D Server XML External Entity Vulnerability in SOAP Endpoints Allowing Arbitrary File Read and SSRF

A vulnerability exists in 4D Server SOAP endpoints, specifically in version 20 R3, due to improper handling of XML external entities. This flaw enables unauthenticated attackers to read arbitrary files from the application server and adjacent network shares. Additionally, the vulnerability allows for server-side request forgery (SSRF) by performing HTTP GET requests to external services. The issue arises from the XML parser's acceptance of external entities, which can be exploited to exfiltrate sensitive information or interact with other network services.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the application server and adjacent network shares. The vulnerability also facilitates SSRF attacks, allowing attackers to make requests to internal services or resources.

Reproduction

The vulnerability can be reproduced by sending a crafted XML payload to the '/4DSOAP' endpoint that includes an external entity reference. This payload can be designed to read files from the server's file system or network shares. Once the payload is processed, the exfiltrated data can be retrieved from the attacker's server.

Remediation

Users are advised to update to 4D Server version 20 R7 or higher.