Apache JackRabbit version 2.0.0 suffers from a XPath injection vulnerability.
7b8b167d2f5d54b7350164f5d4b901a3ff35dfb56a0dbf1fdb02beaff079e1c5
# Title: Apache JackRabbit webapp XPath Injection
# Author: ADEO Security
# Published: 11/08/2010
# Version: 2.0.0 (Possible all versions)
# Vendor: http://www.apache.org
# Download: http://www.apache.org/dyn/closer.cgi/jackrabbit/2.0.0/jackrabbit-2.0.0-src.zip
# Description: "Apache Jackrabbit is a fully conforming implementation
of the Content Repository for Java Technology API (JCR, specified in
JSR 170 and 283).
A content repository is a hierarchical content store with support for
structured and unstructured content, full text search, versioning,
transactions, observation, and more.
Apache Jackrabbit is a project of the Apache Software Foundation."
# Credit: Vulnerability founded by Canberk BOLAT
- Mail: canberk.bolat[AT]adeo.com.tr
- Web: http://security.adeo.com.tr
# Vulnerability:
In search.jsp file HTTP GET parameter "q" included to XPath query
without sanitised if its start with word "related:".
search.jsp
...
String q = request.getParameter("q");
...
if (q != null && q.length() > 0) {
String stmt;
if (q.startsWith("related:")) {
String path = q.substring("related:".length());
stmt = "//element(*, nt:file)[rep:similar(jcr:content,
'" + path + "/jcr:content')]/rep:excerpt(.) order by @jcr:score
descending";
queryTerms = "similar to <b>" +
Text.encodeIllegalXMLCharacters(path) + "</b>";
}
...