####################################################################### # COMPASS SECURITY ADVISORY http://www.csnc.ch/ ####################################################################### # # CVE ID : CVE-2009-4505 # Product: OpenCMS OAMP Comments Module # Vendor: Open Source, Alkacon GmbH (Cologne, Germany) # Subject: Cross-site scripting (XSS) # Risk: High # Effect: Anonymously exploitable # Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch) # Date: March 24th 2010 # ####################################################################### Introduction: ------------- Cyrill Brunschwiler of Compass Security discovered a web application security flaw in the OpenCMS OAMP comments module. Description: ------------ The OAMP comments module allows OpenCMS users to add comments to pages. However, the comment module reflects unfiltered user input. Following that, attackers could injected HTML code and JavaScript code which gets executed within all visitors web browsers. Exploiting the vulnerability will lead to so-called cross-site scripting (XSS) and allows the impersonation of logged-in OpenCMS web and workplace users. Attackers could also embbed arbitrary content such as faked login forms or redirect OpenCMS users to malware pages. Vulnerable: ----------- OAMP comments module version 1.0.0 Patches: -------- Get the latest version at http://cvs.opencms.org/ Fix: ---- All output must be encoded using HTML entities. For that purpose the escapeXml attribute must not being set false on all c:out tags. Moreover, all fmt:param outputs must be encoded as well. Example: <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %> Alternatively one could use the OWASP ESAPI (Enterprise Security API) to encode all output. For more details on the OWASP ESAPI consult the google code repository and see http://www.owasp.org/index.php/ESAPI Example: String clean = ESAPI.encoder().encodeForHTML(maliciousInput); Milestones: ----------- December 24th 2009, Vulnerability discovered January 6th 2010, Vendor notified March 13rd 2010, Fixed in CVS (m.jaeger) References: ----------- OpenCMS - http://www.opencms.org/en/ OpenCms from Alkacon Software is a professional, easy to use website content management system. OpenCms helps content managers worldwide to create and maintain beautiful websites fast and efficiently. OpenCMS OAMP Modules - http://www.alkacon.com/en/products/oamp/index.html The Alkacon OpenCms Add-On Module Package (also called OAMP) is a set of free, open source extension modules for OpenCms. Alkacon OAMP adds front- end related features to OpenCms that may be useful in case special functionalities are required. XSS - http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.