CVE-2019-13031 – XXE on LemonLDAP::NG < 2.0.5

Published on: Jul 23 2019 by Calypt

Global presentation

As described on :

LemonLDAP::NG is an open source Web Single Sign On (WebSSO), Access Management and Identity Federation product, written in Perl and Javascript.

LemonLDAP::NG is a free software, released under GPL license.

LemonLDAP::NG is the first SSO software deployed in French administrations. It can handle large-scale organization (tested with hundreds of thousands users). Many private firms use it too.

LemonLDAP has several features including ( :

  • Full Access Control
  • Easy customization
  • Easy integration
  • Identity Federation
  • Sessions explorer / restriction
  • Notifications

Notification Feature

From :

Since version 0.9.4, LemonLDAP::NG can be used to notify some messages to users: if a user has a message, the message will be displayed when he will access to the portal. If the message contains check boxes, the user has to check all of them else he can not access to the portal and get his session cookie.

Since 1.1.0, a notification explorer is available in Manager, and notifications can be done for all users, with the possibility to display conditions. When the user accept the notification, the reference is stored in his persistent session.

From version 2.0, notifications are now stored in JSON format. However, it is still possible to choose the old format (XML) with an option in the manager (disabled by default) :
Old XML format is needed

Also, “new JSON notifications can be inserted using REST or SOAP server. If enabled, the server URL is https://auth.your.domain/notifications.” 

Notification server offer a user/attaquer to post their notification in JSON or XML formats

XML External Entity


In lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/ and lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/ source files, the Perl module XML::LibXML is initialized without options, permitting classic out-of-band XXE.

Vulnerable parser init


A Remote unauthenticated attaquer can exploit this vulnerabily to exfiltrate server files. We need to use “XXE Out of Band” techniques to exfiltrate files via http or ftp. The first step is to host our payload (evil3.dtd) at http://attacker:9090/evil3.dtd.

This payload will read local /etc/test file, then exfiltrate its content to a web or ftp server controlled by the attacker (here

evil3.dtd hosted on attacker server

Once our payload hosted, we can launch our attack against vulnerable LemonLDAP::NG server (here :

Notification that will order LemonLDAP to trigger
malicious payload hosted at

Finally, on the attacker side, the webserver at receives the datas :


  • If extracted file contains “\n” characters : the parser will fail with “invalid URI” error and the exploit did not work.
  • If file is too long : the parser will fail with “Entity reference loop” error and the exploit did not work.
  • Firewall restricting outbound traffic can block external DTD retrieval


A fix prohibiting external entities has been deployed in v2.0.5 and v1.9.20 :

Filed under: Headlines
Tags: , , , , , ,

Leave a Reply