Jinher OA XML External Entity Injection Vulnerability

A critical XML External Entity (XXE) injection vulnerability has been identified in Jinher OA version 1.1. This issue resides in the 'XmlHttp.aspx' endpoint, where the application improperly processes XML input, allowing attackers to include malicious external entities. Exploitation of this vulnerability can lead to unauthorized reading of server files, server-side request forgery (SSRF) attacks, internal network scanning, and potentially remote code execution. The vulnerability can be exploited remotely without authentication.

Impact

Exploitation allows for reading arbitrary files from the server, conducting SSRF attacks, scanning internal networks, and potentially leading to remote code execution. Sensitive system files and configuration data may be exposed.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'XmlHttp.aspx' endpoint with a crafted XML payload that includes external entity references. The server processes these references, allowing for file reading exploitation. A proof-of-concept demonstrating this exploitation is available on GitHub.

Remediation

It is recommended to disable XML external entity processing, validate XML input, use alternative data formats like JSON when possible, restrict outbound server connections, apply the latest security patches, and conduct regular security audits of XML processing components.