## 📄 Vulnerability Disclosure Report **Target**: [https://nche.ed.gov](https://nche.ed.gov) **Date**: 09 May 2025 **Author**: d4m-ee8.sh **Methodology**: Passive and non-intrusive active analysis, in accordance with disclose.io principles --- ### ⚠ī¸ Executive Summary This report outlines several misconfigurations and information disclosures identified on the public-facing website `https://nche.ed.gov`. All findings were gathered through passive or non-intrusive techniques without authentication, file uploads, brute-force, or exploitation attempts. --- ## ✅ Findings Summary | ID | Type | Title | Severity | | -- | ---------------------- | -------------------------------------------- | ------------- | | 01 | Misconfiguration | Partial XML Support & Plugin Risk | Medium | | 02 | Information Disclosure | Publicly Accessible `.htaccess` File | Low | | 03 | Recon Insight | `wp-links-opml.php` Exposes XML Structure | Low | | 04 | Misconfiguration | Sitemap XML Fails Due to Missing `SimpleXML` | Medium | | 05 | Recon | WordPress Setup and Plugin Fingerprinting | Informational | --- ## 🔧 \[01] Partial XML Support & Plugin Risk ### 🔍 Description * `/xmlrpc.php` returns parse errors on POST XML input (`faultCode -32700`). * `/wp-sitemap.xml` returns HTTP 501 with message: `Could not generate XML sitemap due to missing SimpleXML extension`. * `/wp-links-opml.php` returns well-formed XML. This indicates **incomplete XML support** in the server's PHP environment. ### đŸ”ĸ Impact * Installed plugins (e.g., The Events Calendar, UpdraftPlus) may expect `SimpleXML`. If absent, fallback behavior might use unsafe code (`eval()`, `include()`, etc.). * This could result in Remote Code Execution (RCE), XML External Entity (XXE), or Local File Inclusion (LFI) vulnerabilities in plugins handling XML. ### 📗 Reproducibility ```bash curl -s -X POST https://nche.ed.gov/xmlrpc.php \ -H "Content-Type: text/xml" \ -d '<?xml version="1.0"?><methodCall><methodName>demo.sayHello</methodName></methodCall>' ``` Returns: ```xml <faultString>parse error. not well formed</faultString> ``` ### 🕹ī¸ PoC (Theoretical XXE) ```xml <?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <foo>&xxe;</foo> ``` ### 📆 Remediation * Ensure `SimpleXML` and related extensions (`libxml`, `DOMDocument`) are enabled and secured. * Audit plugins for fallback behavior if XML support is missing. * Sanitize or disable XML inputs if not strictly required. --- ## 📰 \[02] Public Access to `.htaccess` File ### đŸ”ĸ Impact * Exposes configuration rules that give attackers visibility into rewrite rules and security headers. * Includes ineffective blocking rules for `xmlrpc.php` (likely not used due to nginx). ### 🕹ī¸ PoC ```bash curl -s https://nche.ed.gov/.htaccess ``` ### 📆 Remediation * Block access to dotfiles via server rules. * Remove or isolate `.htaccess` if running nginx. --- ## 🔍 \[03] OPML Endpoint Exposes XML Generator ### đŸ”ĸ Impact * Publicly returns structured XML. * Though harmless on its own, such data can aid in reconnaissance and chained XML attacks if plugins parse similar inputs. ### 🕹ī¸ PoC ```bash curl -s https://nche.ed.gov/wp-links-opml.php ``` ### 📆 Remediation * Monitor and sanitize XML-based endpoints. * Ensure no sensitive data or link disclosure occurs in automated outputs. --- ## đŸšĢ \[04] Sitemap XML Generation Failure ### đŸ”ĸ Impact * Sitemap generation fails due to missing `SimpleXML`. * Affects SEO, automated indexing, plugin features, and REST integration. ### 🕹ī¸ PoC ```bash curl -s https://nche.ed.gov/wp-sitemap.xml ``` Returns HTTP 501 with message about missing XML extension. ### 📆 Remediation * Install required PHP modules. * Confirm sitemap plugins are updated and configured correctly. --- ## 🔟 \[05] Recon: WordPress & Plugin Footprint * WordPress 6.5.3 with multiple known plugins: * `the-events-calendar` * `enable-media-replace` * `updraftplus` * `broken-link-checker` * Several plugins may parse XML/OPML in their import/export features. * XML support issues could cause dangerous fallback execution. --- ## 🔐 Security Headers & CORS * `Access-Control-Allow-Origin`: set correctly to same-origin * `X-Content-Type-Options`, `Strict-Transport-Security`, `Referrer-Policy` → present and configured correctly --- ## 🔑 Responsible Disclosure * No files were uploaded or executed. * No user data accessed or brute-force attempts performed. * Only passive and safe GET/POST requests used. * Compliant with [disclose.io](https://disclose.io) and ethical research norms.