CVE-2021-42194
📋 TL;DR
This XXE vulnerability in EyouCMS allows attackers to read sensitive files from the server or perform server-side request forgery by sending malicious XML data. It affects all users running vulnerable versions of EyouCMS with the wechat_return functionality accessible.
💻 Affected Systems
- EyouCMS
📦 What is this software?
Eyoucms by Eyoucms
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file disclosure of sensitive data like configuration files, passwords, or SSH keys, potentially leading to remote code execution.
Likely Case
Unauthorized reading of server files including configuration files, source code, or other sensitive data accessible to the web server user.
If Mitigated
Limited impact if external entity processing is disabled at PHP level or input validation blocks malicious payloads.
🎯 Exploit Status
Simple XXE payloads can be crafted to read files. Public GitHub issue shows exploitation details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V1.5.5 or later
Vendor Advisory: https://github.com/eyoucms/eyoucms/issues/19
Restart Required: No
Instructions:
1. Update to EyouCMS V1.5.5 or later. 2. Replace /controller/Index.php with patched version. 3. Verify the simplexml_load_string call now uses LIBXML_NOENT flag or proper input sanitization.
🔧 Temporary Workarounds
Disable PHP external entities
allConfigure PHP to disable external entity processing globally
php -d "libxml_disable_entity_loader=true"
Add 'libxml_disable_entity_loader(true);' to PHP configuration
WAF rule blocking XXE patterns
allImplement web application firewall rules to detect and block XXE payloads
🧯 If You Can't Patch
- Disable or restrict access to the wechat_return function endpoint
- Implement input validation to reject XML containing DOCTYPE declarations or external entity references
🔍 How to Verify
Check if Vulnerable:
Send a POST request to the wechat_return endpoint with XXE payload and check if server returns file contents. Example payload: <?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM "file:///etc/passwd">]><root>&test;</root>Check Version:
Check EyouCMS version in admin panel or read version.txt file in installation directoryVerify Fix Applied:
Test with same XXE payload - should return error or empty response instead of file contents. Check that simplexml_load_string in Index.php uses LIBXML_NOENT flag.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing XML with DOCTYPE declarations
- Unusual file read attempts in web server logs
- Large XML payloads to wechat_return endpoint
Network Indicators:
- XML payloads with file:// or http:// entities in POST requests
- Unusual outbound connections from web server following XML processing
SIEM Query:
source="web_logs" AND (uri="*wechat_return*" AND (body="*<!DOCTYPE*" OR body="*<!ENTITY*" OR body="*SYSTEM*"))