# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng  
# CVE: CVE-2020-26564  
# Exploit Title: ObjectPlanet Opinio version 7.13/7.14 allows XXE injection  
# Vendor Homepage:  
# Software Link:  
# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng  
# CVE: CVE-2020-26564  
# Timeline  
- September 2020: Initial discovery  
- October 2020: Reported to ObjectPlanet  
- November 2020: Fix/patch provided by ObjectPlanet  
- July 2021: CVE-2020-26564  
# 1. Introduction  
Opinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed.  
# 2. Vulnerability Details  
ObjectPlanet Opinio before version 7.13 and 7.14 is vulnerable to XXE injection.  
# 3. Proof of Concept  
### XXE leading to local file disclosure ###  
Step 1:   
URL: /opinio/admin/  
Opinio allows an administrative user to edit local CSS files, this is used to change the contents of a CSS file to a dtd reference file for the XXE injection  
The existing blueSurvey.css file was chosen for this PoC. Replace the contents of the file with:   
<!ENTITY all "%start;%file;%end;">  
Step 2:   
Utilize Opinios survey module and create a generic survey template. Export the template .xml file and add this snippet into the top of the .xml file:  
<!ENTITY % file SYSTEM "file:////C:\Users\">  
<!ENTITY % start "<![CDATA[">  
<!ENTITY % end "]]>">  
Ensure the surveyIntro tag is inserted with the following payload (This will output the result in the  
surveyIntro field):  
The base directory can be guessed via the information under Setup >> Edit System Settings , this page on Opinio shows the local directory of where Opinio was installed to.   
Import the modified .xml file to:   
Step 3:   
The C:\Users\ directory can be viewed at :  
This vulnerability was confirmed by ObjectPlanet Opinio in their patch notes which can be found at :  
# 4. Remediation  
Apply the latest fix/patch from objectplanet.  
# 5. Credits  
Timothy Tan (  
Khor Yong Heng (  
Yu EnHui (  
Daniel Tan (