Jinher OA XML External Entity Injection Vulnerability

A XML External Entity (XXE) injection vulnerability exists in Jinher OA version 2.0. The issue is located in the ManageWord.aspx endpoint, specifically when the application processes XML input without adequate validation or disabling of external entity references. This flaw allows remote attackers to include malicious external entities in XML documents that the server processes, potentially leading to unauthorized file access, server-side request forgery (SSRF) attacks, internal network scanning, and in some cases, remote code execution.

Impact

Exploitation of this vulnerability allows attackers to read arbitrary files from the server, conduct server-side request forgery (SSRF) attacks, scan internal networks, and potentially execute remote code. Sensitive system files and configuration data may be exposed.

Reproduction

The vulnerability can be reproduced by sending a POST request to the ManageWord.aspx endpoint with a crafted XML payload. This payload should include a DOCTYPE declaration that defines an external entity pointing to a file on the server, such as a Windows system file. The server will process this request, read the specified file, and exfiltrate the data to an external server controlled by the attacker.

Remediation

To address this vulnerability, it is recommended to disable XML external entity processing in the application's XML parser, implement strict input validation to reject XML documents with DOCTYPE declarations, consider using JSON instead of XML where possible, and restrict outbound connections from the server to prevent data exfiltration.