Jinher OA XML External Entity Injection Vulnerability

A critical XML External Entity (XXE) injection vulnerability has been identified in Jinher OA versions through 1.2. The issue resides in the XML Handler component, specifically within the '/c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add' endpoint. This vulnerability allows unauthenticated remote attackers to send crafted XML documents that include external entity references. The server processes these entities, which can lead to unauthorized file access, server-side request forgery (SSRF) attacks, internal network scanning, and potentially remote code execution. Exploitation of this vulnerability has been publicly disclosed and is available as a proof-of-concept.

Impact

Successful exploitation allows attackers to read arbitrary files from the server, conduct SSRF attacks, scan internal networks, and potentially execute remote code. Sensitive system files and configuration data may be exposed.

Reproduction

To reproduce this vulnerability, send a POST request to the '/c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add' endpoint with an XML payload that includes a DOCTYPE declaration referencing an external entity. The server will process the request, allowing the inclusion of malicious external entities that can be used to exfiltrate data or access restricted files.

Remediation

It is recommended to disable XML External Entity processing in the XML parser, implement strict input validation for XML content, consider using alternative data formats like JSON, restrict outbound connections from the server, apply the latest security patches, and conduct regular security audits of XML processing components.