CVE-2017-13706

Vulnerability

Lansweeper versions prior to 6.0.100.67 are affected by an XML External Entity (XXE) vulnerability in the import package functionality of the deployment module. The issue resides in /deployment/DeploymentActions.aspx with the action=importPackage parameter. An authenticated remote user can exploit this by sending a crafted XML payload via a POST request containing a reference to an external entity. The vulnerable versions include 6.0.100.29 and all earlier releases [1][2].

Exploitation

An attacker must have valid user credentials to access the Lansweeper web interface. They then send a POST request to /deployment/DeploymentActions.aspx?action=importPackage with a multipart/form-data body containing an XML payload that defines an external entity. The entity can point to a local file, an internal service, or an external server. No additional user interaction is required; the XML is processed server-side when the import package action is triggered [2].

Impact

Successful exploitation leads to multiple severe outcomes: disclosure of sensitive information from the server's file system, denial of service (via entity expansion), server-side request forgery (SSRF) allowing internal network reconnaissance, and port scanning from the Lansweeper server's perspective. The attacker can potentially gain access to internal resources and data that should be isolated [1][2].

Mitigation

The vulnerability is fixed in Lansweeper version 6.0.100.67, which was released prior to the public disclosure date of October 6, 2017. The vendor's changelog indicates that this update addresses security issues, but specific details are not publicly available. Users should upgrade to version 6.0.100.67 or later immediately. No workaround is provided for unpatched versions [3].