Content management system abused to exploit dated vulnerability

A two-year-old search query vulnerability in Apache Solr can be exploited using OpenCMS, allowing an attacker to read arbitrary files and potentially take over an entire system.

Content management system OpenCMS is a platform written in Java and is used to maintain the digital content of sites such as the World Intellectual Property Organization and the Italian Finance Ministry.

Users that have configured OpenCMS with search query software Apache Solr may be at risk of a dated XML external entity injection (XXE) vulnerability – through no fault of the CMS.

“The very first step was to find an entrypoint in OpenCMS which allows to run Solr queries,” said security researcher Abdel Adim Oisfi, detailing his discovery in a recent blog post, which he found via the handleSolrSelect REST-like API.

“After the entrypoint was found, confirming the XXE was just a matter of seconds,” Oisfi said.

The Apache Solr XXE, initially found in 2017, can be exploited by using a channel such as FTP to read arbitrary files from Solr’s server.

Oisifi used a basic payload to trigger the vulnerability, which is said to impact Solr versions 5.5.0, 5.5.4, 6.0.0, 6.6.1, 7.0.0, and 7.0.1.

Users that have these versions of Solr configured to their CMS are advised to update immediately.

While OpenCMS bears no responsibility for the Solr flaw, the instance has highlighted how a system’s security can still indirectly be undermined through back end vulnerabilities.

“When multiple technologies are combined together and there are some known vulnerabilities for a non-exposed one, always understand how the other ones talk to the vulnerable one, in order to find potential exploit paths,” Oisifi said.