Home / os / win7

Apache JackRabbit 2.0.0 webapp XPath Injection Vulnerabilty

Posted on 11 August 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Apache JackRabbit 2.0.0 webapp XPath Injection Vulnerabilty</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===========================================================
Apache JackRabbit 2.0.0 webapp XPath Injection Vulnerabilty
===========================================================

# Title: Apache JackRabbit webapp XPath Injection
# Author: ADEO Security
# Published: 11/08/2010
# Version: 2.0.0 (Possible all versions)
# Vendor: http://www.apache.org
# Download: http://www.apache.org/dyn/closer.cgi/jackrabbit/2.0.0/jackrabbit-2.0.0-src.zip
 
# Description: &quot;Apache Jackrabbit is a fully conforming implementation
of the Content Repository for Java Technology API (JCR, specified in
JSR 170 and 283).
A content repository is a hierarchical content store with support for
structured and unstructured content, full text search, versioning,
transactions, observation, and more.
Apache Jackrabbit is a project of the Apache Software Foundation.&quot;
 
# Credit: Vulnerability founded by Canberk BOLAT
        - Mail: canberk.bolat[AT]adeo.com.tr
        - Web: http://security.adeo.com.tr
 
# Vulnerability:
In search.jsp file HTTP GET parameter &quot;q&quot; included to XPath query
without sanitised if its start with word &quot;related:&quot;.
 
search.jsp
...
String q = request.getParameter(&quot;q&quot;);
...
       if (q != null &amp;&amp; q.length() &gt; 0) {
            String stmt;
            if (q.startsWith(&quot;related:&quot;)) {
                String path = q.substring(&quot;related:&quot;.length());
                stmt = &quot;//element(*, nt:file)[rep:similar(jcr:content,
'&quot; + path + &quot;/jcr:content')]/rep:excerpt(.) order by @jcr:score
descending&quot;;
                queryTerms = &quot;similar to &lt;b&gt;&quot; +
Text.encodeIllegalXMLCharacters(path) + &quot;&lt;/b&gt;&quot;;
            }
...


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-11]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :