CVE-2022-42745 - How XXE Bugs in CandidATS 3.. Allow Hackers to Steal Any File

CandidATS is an open source applicant tracking system, often used by businesses to manage resumes and job applications. In version 3.., though, a serious security hole was discovered—CVE-2022-42745—that lets attackers read any file from the server, remotely and without logging in.

That’s as bad as it sounds. By abusing an XXE (XML External Entity) vulnerability, a hacker can steal passwords, configuration files—even private user data. Let’s break down what was found, see some code, and look at how this bug works in real life.

What’s XXE, Anyway?

XXE stands for XML External Entity Injection. In simple terms: if a web app parses XML but isn’t careful, attackers can slip in their own instructions for the XML parser to go grab files from the server and send them back.

It’s a common problem in older PHP systems. If you let a user upload XML, but don't lock down the parser's features, you might let them craft a payload reading /etc/passwd or any file they want.

CandidATS 3..: Where’s the Bug?

In CandidATS 3.., some parts of the system let you import XML—for example, when managing resumes or job data. Unfortunately, the code uses PHP’s simplexml_load_string() or similar functions, without disabling the dangerous features that enable external entities.

Here’s a _fictionalized but representative snippet_ similar to what’s in the codebase

if (isset($_FILES['xml_resume'])) {
    $xmlString = file_get_contents($_FILES['xml_resume']['tmp_name']);
    $xmlObj = simplexml_load_string($xmlString);  // XXE can happen here!
    // ... process the resume ...
}

By default, SimpleXML enables external entity loading if you don’t explicitly turn it off.

With the XXE vulnerability, you can send an XML file like this

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE root [
  <!ENTITY secret SYSTEM "file:///etc/passwd">
]>
<resume>
  <name>&secret;</name>
</resume>

Here’s what’s happening

- The <!ENTITY secret SYSTEM "file:///etc/passwd"> line tells the parser to grab /etc/passwd from the server and assign it to the entity &secret;.
- When the app processes this XML and reads the <name>, it actually reads the contents of /etc/passwd.

If the app later shows back the <name> field or logs it, the attacker gets the file contents.

Assume CandidATS lets you upload XML resumes via a POST request

curl -F "xml_resume=@payload.xml" https://candidats-server/job_upload.php

If the server responds or stores the extracted “name”—the file contents are now in the attacker’s hands.

Anything the web server’s user can read—including

- /etc/passwd and /etc/shadow (on Linux)

References

- CVEdetails: CVE-2022-42745
- OWASP XXE Guide_Processing)
- Original CandidATS Project
- PHP XXE Prevention Doc

Closing Thoughts

While XML may seem old-fashioned, it’s still used in many business systems, and a forgotten XXE bug like this one can have huge consequences. If you’re running CandidATS 3..—or any web app that takes XML input—patch it or use modern libraries. Don’t let your users’ data be an easy target.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/05/2022 00:32:00 UTC