Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability

Title: Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability
Advisory ID: ZSL-2013-5162
Type: Local/Remote
Impact: Manipulation of Data
Risk: (3/5)
Release Date: 28.11.2013
Summary
Ametys is a Java-based open source CMS combining rich content with an easy-to-use and intuitive interface.
Description
Input passed via the 'lang' POST parameter in the newsletter plugin is not properly sanitised before being used to construct a XPath query for XML data. This can be exploited to manipulate XPath queries by injecting arbitrary XPath code.
Vendor
Anyware Services - http://www.ametys.org
Affected Version
3.5.2 and 3.5.1
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Jetty 6.1.21
Vendor Status
[24.11.2013] Vulnerability discovered.
[24.11.2013] Vendor notified thru their bug tracking system with details.
[27.11.2013] No response from the vendor.
[28.11.2013] Public security advisory released.
[11.12.2013] Vendor releases versions 3.5.3 and 3.6 to address this issue.
PoC
ametyscms_xpath.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://issues.ametys.org/browse/CMS-5170
[2] http://cxsecurity.com/issue/WLB-2013110206
[3] http://secunia.com/advisories/55828/
[4] http://www.securelist.com/en/advisories/55828
[5] http://www.securityfocus.com/bid/64015
[6] http://packetstormsecurity.com/files/124227
[7] http://forums.cnet.com/7726-6132_102-5523472.html
[8] http://www.exploit-db.com/exploits/29918/
[9] http://www.osvdb.org/show/osvdb/100486
[10] https://issues.ametys.org/browse/CMS/fixforversion/11981
[11] https://issues.ametys.org/browse/CMS/fixforversion/11785
[12] https://issues.ametys.org/secure/ReleaseNote.jspa?projectId=10021&version=11981
[13] https://issues.ametys.org/secure/ReleaseNote.jspa?projectId=10021&version=11785
Changelog
[28.11.2013] - Initial release
[29.11.2013] - Added reference [2], [3] and [4]
[01.12.2013] - Added reference [5], [6] and [7]
[02.12.2013] - Added reference [8]
[04.12.2013] - Added reference [9]
[11.12.2013] - Added vendor status and reference [10], [11], [12] and [13]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk