Product: OpenCms
Official Maintainer: Alkacon Software GmbH
Affected Version(s): 9.5.2
Tested Version(s): 9.5.2
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Maintainer Notification: 2015-11-27
Solution Date: 2016-01-13
Public Disclosure:
CVE Reference: Not yet assigned
Author of Advisory: Rainer Boie (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
OpenCms is an open source web content management system. Alkacon
Software GmbH is the official maintainer and the major contributor for
OpenCms (see [1]).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The SySS GmbH found out that a logged on user with at least workspace
access is vulnerable to a reflected cross-site scripting attack using
the OpenCms login form. An attacker can use an URL to create the attack
as the attack vector is triggered by an HTTP GET request.
It is recommended to filter and escape transmitted parameter values.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Using a fresh installation of OpenCms in version 9.5.2 and generating
and logging in with a user with workspace access rights, the following
attack vector was used:
http://<HOST>:<PORT>/opencms/
The parameter is handled by the function appendWorkplaceOpenerScript in
the file CmsLogin.java.
The vulnerable code section is:
html.append("\tvar openUri = \"");
html.append(link(openResource)
html.append("\";\n");
html.append("\tvar workplaceWin = openWorkplace(openUri, \"");
The JavaScript code is executed in the web browser as it is included in
the following affected part of the HTML response:
function doOnload() {
var openUri = "/opencms/opencms/system/
var workplaceWin = openWorkplace(openUri, "OpenCms1448623274999");
if (window.name != "OpenCms1448623274999") {
window.opener = workplaceWin;
if (workplaceWin != null) {
window.close();
}
}
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
The main maintainer Alkacon Software GmbH published 01/13/2016 version
9.5.3 where the flaw is fixed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2015-11-27: Vulnerability reported to the official maintainer Alkacon
Software GmbH
2015-12-04: Vulnerability reported to the official maintainer Alkacon
Software GmbH
2015-12-04: Response from maintainer: The issue is fixed in version
9.5.3 which is planned to be published 01/13/2016.
2016-01-13: Release 9.5.3 published
2016-01-20: Checked and confirmed fix of vulnerability in version 9.5.3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product Web site for OpenCms
http://www.opencms.org
[2] SySS Security Advisory SYSS-2015-063
https://www.syss.de/fileadmin/
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Rainer Boie of the SySS GmbH.
E-Mail: rainer.boie (at) syss.de
Public Key: https://www.syss.de/fileadmin/
Key fingerprint = E724 9ECC 7E6F 1008 16AB 1A53 5C12 823D 608D 7AE9
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/
Komentarų nėra:
Rašyti komentarą