Issues » Matrix URI parameters can expose private assets

Issue: SI-63
Date: Jun 14, 2022, 1:45:00 PM
Severity: Medium
Requires Admin Access: No
Fix Version: 22.06, 22.03.2, 21.06.9, 5.3.8.12
Credit: Fortinet (https://www.fortinet.com/)
Description:

Some Java Application frameworks, including those used by Spring or Tomcat, allow the use of “matrix parameters” — URI parameters separated by semicolons. Through precise semicolon placement in a URI, it is possible to exploit this feature to avoid dotCMS's path-based XSS prevention/require login filters and access restricted resources.

For example, the semicolon in the URL below would reveal to anyone a text file ordinarily only visible to signed-in users:
https://demo.dotcms.com/html;/js/dojo/README-Building-dojo-for-dotCMS.txt

The ability to circumvent these filters can be chained with other code to expolit dotCMS using XSS attacks.

Mitigation:

Upgrade

dotCMS recommends upgrading to one of the versions of dotCMS patched against this vulnerability, which include the following, as well as subsequent versions:

  • Agile:
    • 22.06+
  • LTS:
    • 22.03.2+
    • 21.06.9+
    • 5.3.8.12+

WAF Rule

It is possible to create a WAF rule that disallows ; (semi-colons) specifically in the the URI portion of a request URL. This would effectivily block any exploit of the vunerability.

Hotfix Plugin

dotCMS 5.1.6+

The following OSGi plugin, designed to work with versions dotCMS 5.1.6 and later, can be used to mitigate the issue in running dotCMS instances:

dotCMS Cloud

dotCMS has already applied mitigations for this issue to all dotCMS Cloud customers; no action is needed.

References

Highly Rated and Recommended

We're rated Excellent 4.2/5 stars on G2 - with 95+ verified reviews