header-logo
Suggest Exploit
vendor:
JackRabbit
by:
ADEO Security
8,5
CVSS
HIGH
XPath Injection
79
CWE
Product Name: JackRabbit
Affected Version From: 2.0.0
Affected Version To: 2.2.6
Patch Exists: YES
Related CWE: N/A
CPE: a:apache:jackrabbit:2.0.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux
2010

Apache JackRabbit webapp XPath Injection

In search.jsp file HTTP GET parameter 'q' is included to XPath query without sanitisation if its start with word 'related:'. This can lead to remote code execution.

Mitigation:

Upgrade to Apache Jackrabbit 2.2.7 or later.
Source

Exploit-DB raw data:

# Title: Apache JackRabbit webapp XPath Injection
# Author: ADEO Security
# Published: 11/08/2010
# Version: 2.0.0 (Possible all versions)
# Vendor: http://www.apache.org
# Download: http://www.apache.org/dyn/closer.cgi/jackrabbit/2.0.0/jackrabbit-2.0.0-src.zip

# Description: "Apache Jackrabbit is a fully conforming implementation
of the Content Repository for Java Technology API (JCR, specified in
JSR 170 and 283).
A content repository is a hierarchical content store with support for
structured and unstructured content, full text search, versioning,
transactions, observation, and more.
Apache Jackrabbit is a project of the Apache Software Foundation."

# Credit: Vulnerability founded by Canberk BOLAT
        - Mail: canberk.bolat[AT]adeo.com.tr
        - Web: http://security.adeo.com.tr

# Vulnerability:
In search.jsp file HTTP GET parameter "q" included to XPath query
without sanitised if its start with word "related:".

search.jsp
...
String q = request.getParameter("q");
...
       if (q != null && q.length() > 0) {
            String stmt;
            if (q.startsWith("related:")) {
                String path = q.substring("related:".length());
                stmt = "//element(*, nt:file)[rep:similar(jcr:content,
'" + path + "/jcr:content')]/rep:excerpt(.) order by @jcr:score
descending";
                queryTerms = "similar to <b>" +
Text.encodeIllegalXMLCharacters(path) + "</b>";
            }
...

Navigation

Suggest Exploit

Services By CQR