Jinher OA XML External Entity Injection Vulnerability

A critical XML External Entity (XXE) injection vulnerability has been identified in Jinher OA versions through 1.2. The issue resides in the XML Handler component, specifically within the '/c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add' endpoint. This vulnerability allows unauthenticated attackers to send crafted XML documents that include external entity references. The server processes these entities, which can lead to data exfiltration using out-of-band techniques. Exploitation of this vulnerability could also allow attackers to read arbitrary files from the server, conduct server-side request forgery (SSRF) attacks, scan internal networks, and potentially execute remote code, all while exposing sensitive system files and configuration data.

Impact

Exploitation of this vulnerability allows for general XML External Entity injection impacts, with the possibility of reading arbitrary files, conducting SSRF attacks, scanning internal networks, and potentially leading to remote code execution. In this case, the vulnerability was exploited to read the contents of the 'C:\Windows\win.ini' file on the target server.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add' endpoint with a 'Content-Type' of 'application/xml'. The request must include a DOCTYPE declaration that references an external entity. Once the server processes the request, the specified files can be read and exfiltrated via an HTTP request to the attacker's server.

Remediation

To address this vulnerability, it is recommended to disable XML external entity processing by configuring the XML parser to reject external entity resolutions. Implement strict input validation for XML content, considering alternatives like JSON where possible. Additionally, restrict outbound connections from the server to prevent data exfiltration.