← Advisories

Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability

Medium
Advisory ID
ZSL-2013-5162
Release Date
28 November 2013
Vendor
Anyware Services - http://www.ametys.org
Affected Version
3.5.2 and 3.5.1
CVE
N/A
Tested On
Microsoft Windows 7 Ultimate SP1 (EN), Jetty 6.1.21
Summary

Ametys is a Java-based open source CMS combining rich content with an easy-to-use and intuitive interface.

Description

Input passed via the 'lang' POST parameter in the newsletter plugin is not properly sanitised before being used to construct a XPath query for XML data. This can be exploited to manipulate XPath queries by injecting arbitrary XPath code.

Proof of Concept
ametyscms_xpath.txtTXT
Disclosure Timeline
24.11.2013Vulnerability discovered.
24.11.2013Vendor notified thru their bug tracking system with details.
27.11.2013No response from the vendor.
28.11.2013Public security advisory released.
11.12.2013Vendor releases versions 3.5.3 and 3.6 to address this issue.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://issues.ametys.org/browse/CMS-5170
[2]http://cxsecurity.com/issue/WLB-2013110206
[3]http://secunia.com/advisories/55828/
[4]http://www.securelist.com/en/advisories/55828
[5]http://www.securityfocus.com/bid/64015
[6]http://packetstormsecurity.com/files/124227
[7]http://forums.cnet.com/7726-6132_102-5523472.html
[8]http://www.exploit-db.com/exploits/29918/
[9]http://www.osvdb.org/show/osvdb/100486
[10]https://issues.ametys.org/browse/CMS/fixforversion/11981
[11]https://issues.ametys.org/browse/CMS/fixforversion/11785
[12]https://issues.ametys.org/secure/ReleaseNote.jspa?projectId=10021&version=11981
[13]https://issues.ametys.org/secure/ReleaseNote.jspa?projectId=10021&version=11785
Changelog
28.11.2013Initial release
29.11.2013Added reference [2], [3] and [4]
01.12.2013Added reference [5], [6] and [7]
02.12.2013Added reference [8]
04.12.2013Added reference [9]
11.12.2013Added vendor status and reference [10], [11], [12] and [13]