PT-2014-64: XML External Entity Injection in Yokogawa FAST/TOOLS
Version: R9.05 SP1 and earlier
Severity level: Low
Impact: Proactive Arbitrary Files Reading, Denial of Service
Access Vector: Local
Base Score: 3.2
Yokogawa FAST/TOOLS is a web-based real-time operations management and visualization software suite. This Enterprise Operations Solution has architectural benefits that significantly advance efficiency, security and improve operational agility of remote Process Management infrastructures.
The specialists of the Positive Research center have detected an XML External Entity Injection vulnerability in the Yokogawa FAST/TOOLS application.
A local attacker can trick the WebHMI server into sending data to an outside computer. This vulnerability can also increase the load of the WebHMI server and the network.
How to fix
Update your software up to the latest version.
20.11.2012 - Vendor gets vulnerability details
28.11.2014 - Vendor releases fixed version and details
26.12.2014 - Public disclosure
The vulnerability was detected by Timur Yunusov, Alexey Osipov and Ilya Karpov, Positive Research Center (Positive Technologies Company)
Reports on the vulnerabilities previously discovered by Positive Research: