Urule XXE Author:idam0n
The interface for saving decision flow does not disable external entity parsing when parsing xml data, resulting in the possibility of submitting malicious data for injection of xml external entities, reading arbitrary files in the operating system, and causing ssrf to detect intranet information by writing a large number of cyclically called entities Carry out dos attacks, etc.
The vulnerable code at file:com\bstek\urule\console\servlet\flow\RuleFlowDesignerServletHandler.java method:com.bstek.urule.console.servlet.flow.parseXml
as the picture:

It is found that the program directly reads the xml information, and it is not configured to prohibit external entity references, resulting in xxe
Reproduce the local build environment:
Use idea to build a Springboot demo project and introduce urule:

Exploiting the Vulnerability
now repeat the reqeust and add the xxe payload to post program 'content'
access the interface /urule/ruleflowdesigner/loadFlowDefinition to load the xml file submit just now
the http message:

the content of file:///c:/windows/system.ini was load

And for more, An XML External Entity (XXE) can also cause ssrf and dos


