MetInfo CMS Server-Side Request Forgery Vulnerability via XML External Entity Injection

A Server-Side Request Forgery (SSRF) vulnerability has been identified in MetInfo Content Management System (CMS) versions through 8.1. This vulnerability arises from improper handling of XML data, allowing attackers to inject malicious XML entities that can prompt the server to make HTTP requests to arbitrary internal or external addresses. Exploitation of this vulnerability could facilitate internal network reconnaissance, port scanning, or the extraction of sensitive information. The issue may be linked to a backend API associated with the path '/admin/#/webset/?head_tab_active=0', where user-supplied XML is processed.

Impact

Exploitation of this vulnerability could lead to unauthorized internal network access, allowing for reconnaissance, port scanning, or retrieval of sensitive information.

Reproduction

To reproduce this vulnerability, first set up a Netcat listener on a controlled server, targeting port 2333. Then, craft a malicious XML document that includes an external entity referencing the listener's address. This XML payload should be sent to the vulnerable XML processing interface within MetInfo, specifically through the backend API associated with the '/admin/#/webset/?head_tab_active=0' path. After sending the payload, check the Netcat listener for incoming connections, which would indicate successful exploitation.

Remediation

When processing XML data, configure the parser to disable external entity processing. Additionally, consider using XML parsers that do not support or default to allowing external entity resolution.