Feng Office Blind XML External Entity Vulnerability in Document Upload Component

A blind XML external entity (XXE) vulnerability has been identified in Feng Office version 3.2.2.1. The issue resides in the Document Upload Handler, specifically within the ApplicationDataObject.class.php file. This vulnerability allows for the manipulation of XML documents to reference external entities, which can be exploited to exfiltrate data from local files. Additionally, this vulnerability could be leveraged to perform server-side request forgery (SSRF) attacks. If the PECL expect extension were installed, this vulnerability could potentially be escalated to remote code execution (RCE).

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data through file exfiltration, manipulation of server-side requests, and, under certain conditions, remote code execution.

Reproduction

The vulnerability can be reproduced by uploading a crafted DOCX file that contains a malicious XML payload referencing an external entity. This can be done by manually adding a DOCTYPE declaration with an entity that exfiltrates data from the server, such as the contents of the '/etc/os-release' file, to an external server controlled by the attacker. The uploaded file should be processed by the application, which will trigger the XXE vulnerability and allow the exfiltrated data to be retrieved from the attacker's server.

Remediation

Review the XML parsing code in the ApplicationDataObject.class.php file to ensure that external entities are not loaded unless absolutely necessary. Implement validation of XML content before parsing to prevent unauthorized access to external resources.