Eyoucms XXE Injection Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Eyoucms version 1.7.1, caused by XML external entity (XXE) injection. This issue allows remote attackers to disrupt server operations by sending crafted POST requests with an XML payload designed to exhaust CPU resources. The vulnerability requires the application to be in production mode, and can be exploited using tools like Burp Suite's Intruder module to send parallel, multi-threaded requests.

Impact

Exploitation of this vulnerability leads to a significant increase in CPU usage, causing server resource exhaustion. This was demonstrated by a proof-of-concept that utilized a few dozen threads to fully occupy an 18-core CPU.

Reproduction

To reproduce this vulnerability, first ensure that Eyoucms is running in production mode. Then, send a POST request to the application's frontend with a Content-Type of 'application/xml'. The request body should contain an XXE payload, such as a 'billion laughs' attack, which can be generated using Burp Suite's Intruder module or another method that supports multi-threaded request sending.