Jinher OA XML External Entity Injection Vulnerability

A critical XML External Entity (XXE) injection vulnerability has been identified in Jinher OA versions through 2.0. The issue resides in the WebDesign.aspx endpoint, specifically when the 'type' parameter is set to 'SystemUserInfo' and the 'style' parameter is set to '1'. This vulnerability allows unauthenticated attackers to send crafted XML documents that include external entity references. The server processes these entities, which can lead to data exfiltration using out-of-band techniques. Exploitation is possible remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows attackers to read arbitrary files from the server, conduct server-side request forgery (SSRF) attacks, scan internal networks, and potentially execute remote code. There is also a risk of exposing sensitive system files and configuration data.

Reproduction

To reproduce this vulnerability, send a POST request to the WebDesign.aspx endpoint with the 'type' parameter set to 'SystemUserInfo' and the 'style' parameter set to '1'. Include a DOCTYPE declaration in the XML payload that references an external entity. The server will process the request and, if vulnerable, read the specified files and exfiltrate the data to an external server.

Remediation

It is recommended to disable XML external entity processing, validate XML input, use alternative data formats like JSON when possible, restrict outbound connections from the server, apply the latest security patches, and conduct regular security audits of XML processing components.