Pachno XML External Entity Injection Vulnerability in TextParser Helper

A XML external entity injection vulnerability has been identified in Pachno version 1.0.6. This vulnerability allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. The issue arises because the application does not properly restrict entity resolution in XML data processed through wiki table syntax and allowed inline tags in issue descriptions, comments, and wiki articles. Attackers can inject malicious XML entities that are then resolved by the XML parser, potentially leading to unauthorized file access.

Impact

Exploitation of this vulnerability could allow unauthorized users to read arbitrary files on the server. Additionally, on systems with PHP 7.4 or higher and libxml2 version 2.9.0 or later, the vulnerability could be exploited to perform server-side request forgery against internal services, with the response exfiltrated through reflected XML attribute values.

Reproduction

The vulnerability can be reproduced by injecting malicious XML entities into wiki table syntax or allowed inline tags within issue descriptions, comments, or wiki articles. This injected XML is then processed by the TextParser helper, where the lack of proper entity resolution restrictions can be exploited to read arbitrary files.