Jinher OA XML External Entity Injection Vulnerability

A critical XML External Entity (XXE) injection vulnerability has been identified in Jinher OA version 2.0. The issue resides in the 'GetWordFileName.aspx' endpoint, which processes XML input without adequate validation, allowing attackers to manipulate external entity references. This vulnerability can be exploited remotely by sending specially crafted XML documents that the server processes, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability allows for unauthorized reading of arbitrary files from the server. It could also facilitate server-side request forgery (SSRF) attacks, internal network scanning, and possibly remote code execution. There is a risk of exposing sensitive system files and configuration data.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'GetWordFileName.aspx' endpoint with a crafted XML payload. The XML must include a DOCTYPE declaration that defines an external entity pointing to a malicious server controlled by the attacker. Once the server processes the request, the attacker can exfiltrate data by referencing files through the defined entities.

Remediation

To address this vulnerability, it is recommended to disable XML external entity processing in the application's XML parser. Implement strict input validation to reject XML documents containing DOCTYPE declarations. Consider using alternative data formats like JSON where possible. Additionally, restrict outbound connections from the server to prevent data exfiltration.