Alkacon OpenCms editor.jsp Arbitrary JSP File Source Disclosure

2006-07-21T12:04:08
ID OSVDB:27552
Type osvdb
Reporter Meder Kydyraliev(bugtraq@web.areopag.net)
Modified 2006-07-21T12:04:08

Description

Technical Description

For the program to display the source, the JSP file must be locked by another user.

Solution Description

Upgrade to version 6.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Manual Testing Notes

http://[target]/opencms/opencms/system/workplace/editors/editor.jsp?resource=/index.jsp

References:

Vendor URL: http://www.opencms.org/ Secunia Advisory ID:21193 Related OSVDB ID: 27554 Related OSVDB ID: 27559 Related OSVDB ID: 27551 Other Advisory URL: http://o0o.nu/~meder/OpenCMS_multiple_vulnerabilities.txt Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0614.html CVE-2006-3936