thinkgem JeeSite XML External Entity Vulnerability in Endpoint Component

A XML External Entity (XXE) vulnerability has been identified in thinkgem JeeSite versions through 5.15.1. The issue resides in the Endpoint component, specifically within the file CasOutHandler.java. The vulnerability allows for the manipulation of XML data through a user-controlled POST parameter named logoutRequest. This parameter is processed as XML without adequate protections against XXE attacks, enabling an attacker to craft XML that could, for example, initiate server-side requests to external entities.

Impact

Exploitation of this vulnerability allows for XML External Entity injection, which can lead to server-side request forgery (SSRF) behavior, where the server is tricked into making requests to internal or external resources on behalf of the attacker. Additionally, such vulnerabilities can sometimes be exploited for further entity-based attacks, depending on the application's runtime configuration.

Reproduction

To reproduce this vulnerability, send a POST request to the /js/a/login-cas endpoint with a crafted XML payload in the logoutRequest parameter. The XML should include a DOCTYPE declaration that references an external entity. If the application is vulnerable, it will process the XML without proper validation, allowing the external entity to be accessed and potentially exploited.