SpringBlade XML External Entity Vulnerability in Report Module Allowing Arbitrary Code Execution

A vulnerability allowing XML external entity (XXE) injection has been identified in the SpringBlade framework, specifically in version 4.8.0 of the blade-report module, which integrates UReport2. This vulnerability allows authenticated attackers to execute arbitrary code by injecting a crafted payload through the 'saveReportFile' endpoint, which is then parsed by the 'loadReport' endpoint. The underlying XML parser does not disable external entity resolution or DOCTYPE declarations, enabling the injection of malicious entities that can read sensitive files or disrupt server operations.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, such as application configuration files containing database credentials or private keys. Additionally, it could allow for server-side request forgery (SSRF) attacks, where the server is tricked into making HTTP requests to internal or external hosts. The vulnerability could also be exploited to cause a denial-of-service condition by exhausting server memory with recursive entity definitions.

Reproduction

To reproduce this vulnerability, first upload a report file containing a malicious XML payload with an injected external entity via the 'saveReportFile' endpoint. The XML must be double-URL-encoded to bypass initial decoding mechanisms. Once the file is saved, the 'loadReport' endpoint can be called to trigger the parsing of the XML. The server will resolve the injected entity, allowing access to the contents of the targeted file, which will be returned in the response.

Remediation

To address this vulnerability, it is recommended to disable the report designer functionality in production environments, especially if it is not needed. At the code level, the XML parser should be configured to disallow external entities and DOCTYPE declarations before parsing any report XML. Additionally, UReport2 should be upgraded or replaced with an actively maintained reporting engine, as UReport2 is known to contain multiple vulnerabilities.