CVE-2007-3693-gobi.txt

`http://int21.de/cve/CVE-2007-3693-gobi.txt  
  
Cross site scripting and information disclosure in gobi/helma  
  
security advisory  
  
References:  
http://gobi.helma.org/  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3693  
  
Description:  
Cross site scripting describes attacks that allow to insert malicious  
html or javascript code via get or post forms. This can be used to steal  
session cookies.  
helma is a javascript-based application server, gobi is a cms  
based on helma. It's used on some popular pages, e. g. the ORF.  
The search-function can be used to inject javascript code.  
It will cause an information disclosure about the system path of helma  
if filled with invalid chars.  
  
Workaround/Fix:  
There's no vendor fix. All input strings in web applications should be  
escaped properly and error messages containing paths should be suppressed  
on live installations.  
Vendor has been contacted 2007-04-12 and hasn't answered yet.  
  
Sample injection URLs:  
http://gobi.helma.org/search/?q=<script>alert(1)</script>  
http://dev.helma.org/search/?q=<script>alert(1)</script>  
http://tv.orf.at/search?keyword="><script>alert(1)</script>  
  
Sample information disclosure URLs:  
http://gobi.helma.org/search/?q="  
http://dev.helma.org/search/?q="  
  
CVE Information:  
The Common Vulnerabilities and Exposures (CVE) project has assigned the  
name CVE-2007-3693 to this issue. This is a candidate for inclusion in  
the CVE list (http://cve.mitre.org/), which standardizes names for  
security problems.  
  
Credits and copyright:  
This vulnerability was discovered by Hanno Boeck of schokokeks.org  
webhosting, http://www.schokokeks.org  
It's licensed under the creative commons attribution license:  
http://creativecommons.org/licenses/by/3.0/  
  
Hanno Boeck, 2007-07-12, http://www.hboeck.de  
`