OpenCms 9.5.2 Cross Site Scripting

2016-02-23T00:00:00
ID PACKETSTORM:135896
Type packetstorm
Reporter Rainer Boie
Modified 2016-02-23T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-063  
Product: OpenCms  
Official Maintainer: Alkacon Software GmbH  
Affected Version(s): 9.5.2  
Tested Version(s): 9.5.2  
Vulnerability Type: Cross-Site Scripting (CWE-79)  
Risk Level: Medium  
Solution Status: Fixed  
Maintainer Notification: 2015-11-27  
Solution Date: 2016-01-13  
Public Disclosure:  
CVE Reference: Not yet assigned  
Author of Advisory: Rainer Boie (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
OpenCms is an open source web content management system. Alkacon   
Software GmbH is the official maintainer and the major contributor for  
OpenCms (see [1]).  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The SySS GmbH found out that a logged on user with at least workspace   
access is vulnerable to a reflected cross-site scripting attack using  
the OpenCms login form. An attacker can use an URL to create the attack  
as the attack vector is triggered by an HTTP GET request.  
  
It is recommended to filter and escape transmitted parameter values.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
Using a fresh installation of OpenCms in version 9.5.2 and generating  
and logging in with a user with workspace access rights, the following  
attack vector was used:  
  
http://<HOST>:<PORT>/opencms/opencms/system/login/index.html?requestedResource=%2Fsystem%2Fworkplace%2Fcommons%2Fdisplayresource.jsp%3Fresource%3D%252Fsuchergebnis%252Findex.html";alert('XSS');//&__loginform=true  
  
  
The parameter is handled by the function appendWorkplaceOpenerScript in  
the file CmsLogin.java.  
  
The vulnerable code section is:  
  
html.append("\tvar openUri = \"");  
html.append(link(openResource));  
html.append("\";\n");  
html.append("\tvar workplaceWin = openWorkplace(openUri, \"");  
  
  
The JavaScript code is executed in the web browser as it is included in  
the following affected part of the HTML response:  
  
function doOnload() {  
var openUri = "/opencms/opencms/system/workplace/commons/displayresource.jsp?resource=%2Fsuchergebnis%2Findex.html";alert('XSS');//";  
var workplaceWin = openWorkplace(openUri, "OpenCms1448623274999");  
if (window.name != "OpenCms1448623274999") {  
window.opener = workplaceWin;  
if (workplaceWin != null) {  
window.close();  
}  
}  
}  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The main maintainer Alkacon Software GmbH published 01/13/2016 version  
9.5.3 where the flaw is fixed.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-11-27: Vulnerability reported to the official maintainer Alkacon   
Software GmbH  
2015-12-04: Vulnerability reported to the official maintainer Alkacon   
Software GmbH  
2015-12-04: Response from maintainer: The issue is fixed in version  
9.5.3 which is planned to be published 01/13/2016.  
  
2016-01-13: Release 9.5.3 published  
  
2016-01-20: Checked and confirmed fix of vulnerability in version 9.5.3  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product Web site for OpenCms  
http://www.opencms.org  
[2] SySS Security Advisory SYSS-2015-063  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-063.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
Credits:  
  
This security vulnerability was found by Rainer Boie of the SySS GmbH.  
  
E-Mail: rainer.boie (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Rainer_Boie.asc  
Key fingerprint = E724 9ECC 7E6F 1008 16AB 1A53 5C12 823D 608D 7AE9  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web   
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2  
  
iQEcBAEBCgAGBQJWyxBmAAoJEFwSgj1gjXrpapYH/1eKvLsApiVYoAn84Guy2sbn  
n2LJUORCMkByi2gDCsMij2Y2gnF3cebhsmsos0e6UdGl4f3ztRAnNFI5JLKZ9GjB  
xfbNZ0kVqaocETTkqpMWNcEpM57E5/2fnsOEdxZjjMA5wg6DGLZYzRAxx/nEWSCn  
eQGf8BCKLufLp2MAdNfjCKr4zBE8i+ZBF6QYAoG3YItbIXZvH5WLxfcsPtacoj2K  
LQHW34V9k6OFDmztfmYo42BhhGy1pj7zcZhlQDL+a3iqvDGeGS2F27vnRgbFFBVD  
3K6sfQk78Fx4ceKn32ew8knahUl+DrzgaYnR/JZqGdjOSg871j2jiPt8Esqq2lc=  
=bRHg  
-----END PGP SIGNATURE-----  
`