Jinher OA XML External Entity Injection Vulnerability in ProjectScheduleDelete.aspx

A critical XML External Entity (XXE) injection vulnerability has been identified in Jinher OA version 1.2, specifically within the ProjectScheduleDelete.aspx endpoint. This vulnerability allows unauthenticated attackers to send crafted XML documents that include external entity references. The server processes these references, which can lead to unauthorized data access and exfiltration using out-of-band techniques. Exploitation of this vulnerability could potentially allow attackers to read arbitrary files from the server, conduct server-side request forgery (SSRF) attacks, scan internal networks, and in some cases, execute remote code. The vulnerability arises because the application does not properly validate XML input or disable external entity references, enabling the inclusion of malicious entities that the server processes.

Impact

Successful exploitation allows for XXE injection, with potential impacts including unauthorized file reading, server-side request forgery, internal network scanning, and possibly remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the ProjectScheduleDelete.aspx endpoint with a crafted XML payload that includes a DOCTYPE declaration referencing an external entity. The server will process the request, allowing the exfiltration of data from the target server to an external location controlled by the attacker.

Remediation

It is recommended to disable XML external entity processing by configuring the XML parser to reject external entity resolutions. Implement strict input validation for XML content, consider using alternative data formats like JSON, and restrict outbound connections from the server to prevent data exfiltration.