TEIGarage Document Conversion Service XML External Entity Injection Vulnerability

A critical XML External Entity (XXE) Injection vulnerability has been identified in the TEIGarage Document Conversion Service, which is part of the TEIGarage webservice and RESTful service for transforming, converting, and validating various formats, with a focus on TEI. The vulnerability arises because the service processes XML files during conversion without disabling external entity processing. This oversight allows attackers to read arbitrary files from the server's filesystem, potentially exposing sensitive information such as configuration files and credentials. Furthermore, depending on the server's configuration, this vulnerability could be exploited to perform server-side request forgery (SSRF) attacks by having the server connect to internal services.

Impact

Exploitation of this vulnerability allows for arbitrary file reading from the server's filesystem, which could lead to exposure of sensitive information, including configuration files and credentials. Additionally, there is a potential for conducting SSRF attacks, depending on the server's configuration.

Reproduction

To reproduce this vulnerability, create a malicious XML file that includes an XXE payload referencing a target file on the server. Then, send a POST request to the TEIGarage document conversion endpoint, including the malicious XML file and a properties file with conversion settings. The server will process the request and include the contents of the targeted file in the conversion output.

Remediation

Users are advised to update to TEIGarage version 1.2.4 or later. Additionally, external entity processing should be disabled in the XML parser by setting the appropriate security features, such as enabling secure processing. Implementing input validation and sanitization for XML documents before processing can also help mitigate this vulnerability.