Tiflash Port 8123 Detected with CVE-2009-3960 Vulnerability

This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: Tiflash 8123端口被扫描出 CVE-2009-3960 漏洞

| username: guoyanliang

[TiDB Usage Environment] Production Environment
[TiDB Version] 5.4.0
[Encountered Issue] Conducting a security scan, CVE-2009-3960 vulnerability was detected, detailed information as follows:
Vulnerability Name: Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05) (CVE-2009-3960) [Principle Scan]
Risk Level: Medium
Highly Exploitable: No
CVE Number: CVE-2009-3960
Port (Service): 8123 (http)
Risk Description: The remote host appears to be running an Adobe product that is vulnerable to XML External Entity (XXE) attacks. When using HTTPChannel to transmit data in AMFX format, the installed version of the product fails to prevent the use of external XML entities. A remote, unauthenticated attacker can exploit this vulnerability to read arbitrary files from the remote system.
Adobe has stated that Adobe BlazeDS, LiveCycle, LiveCycle Data Services, Flex Data Services, and ColdFusion are affected by this issue.
Risk Impact: A remote, unauthenticated attacker can exploit this vulnerability to read arbitrary files from the remote system.
Solution: Apply the appropriate patch provided by the vendor.

Protocol Type: tcp
Risk Evidence:
Sangfor found the following vulnerable HTTPChannel endpoint:

HTTPChannel Endpoint: /flex2gateway/http

Sangfor was able to exploit the issue to retrieve the contents of ‘win.ini’ using the following request:

POST /flex2gateway/http HTTP/1.1
Host: -------:8123
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Content-Type: application/x-amf
Connection: Keep-Alive
Content-Length: 865
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE foo [ ]> bodyclientIdcorrelationId destinationheadersmessageId operationtimestamptimeToLive DSIdDSMessagingVersion nil1 &Sangfor; 500

This produced the following truncated output (limited to 10 lines):
------------------------------ snip ------------------------------
Code: 62, e.displayText() = DB::Exception: Syntax error: failed at […]

<!DOCTYPE foo [ ]>


------------------------------ snip ------------------------------

Vulnerability ID: SF-0006-01897
[Reproduction Path]
[Problem Phenomenon and Impact] Is this information a false positive or a real security vulnerability?


Please provide the version information of each component, such as cdc/tikv, which can be obtained by executing cdc version/tikv-server --version.

| username: 近墨者zyl | Original post link

For reference, thank you.