# Title: Apache JackRabbit webapp XPath Injection  

# Author: ADEO Security  

# Published: 11/08/2010  

# Version: 2.0.0 (Possible all versions)  

# Vendor: e18K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3q4H3j5h3y4Z5k6g2)9J5k6h3!0J5k6#2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3U0k6F1j5Y4y4H3i4K6y4n7

# Download: 564K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3q4H3j5h3y4Z5k6g2)9J5k6h3!0J5k6#2)9J5c8X3c8&6L8W2)9J5c8X3y4D9L8%4y4W2M7W2)9J5k6h3y4Y4K9g2)9J5c8X3A6S2j5$3E0J5j5h3u0T1K9i4c8Q4x3V1j5J5i4K6u0W2x3q4)9J5k6e0m8Q4x3V1k6B7j5h3y4C8M7X3q4T1j5X3W2@1i4K6u0V1x3W2)9J5k6e0m8Q4x3X3f1H3i4K6u0V1M7%4u0U0i4K6u0W2P5X3W2H3i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5y4X3&6T1M7%4m8Q4x3@1t1`.

   

# Description: "Apache Jackrabbit is a fully conforming implementation  

of the Content Repository for Java Technology API (JCR, specified in  

JSR 170 and 283).  

A content repository is a hierarchical content store with support for  

structured and unstructured content, full text search, versioning,  

transactions, observation, and more.  

Apache Jackrabbit is a project of the Apache Software Foundation."  

   

   

# Vulnerability:  

In search.jsp file HTTP GET parameter "q" included to XPath query  

without sanitised if its start with word "related:".  

   

search.jsp  

...  

String q = request.getParameter("q");  

...  

       if (q != null && q.length() > 0) {  

            String stmt;  

            if (q.startsWith("related:")) {  

                String path = q.substring("related:".length());  

                stmt = "//element(*, nt:file)[rep:similar(jcr:content,  

'" + path + "/jcr:content')]/rep:excerpt(.) order by @jcr:score  

descending";  

                queryTerms = "similar to <b>" +  

Text.encodeIllegalXMLCharacters(path) + "</b>";  

            }  

...

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课