Reporter Hanno Boeck
Cross site scripting and information disclosure in gobi/helma
Cross site scripting describes attacks that allow to insert malicious
based on helma. It's used on some popular pages, e. g. the ORF.
It will cause an information disclosure about the system path of helma
if filled with invalid chars.
There's no vendor fix. All input strings in web applications should be
escaped properly and error messages containing paths should be suppressed
on live installations.
Vendor has been contacted 2007-04-12 and hasn't answered yet.
Sample injection URLs:
Sample information disclosure URLs:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-3693 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
Credits and copyright:
This vulnerability was discovered by Hanno Boeck of schokokeks.org
It's licensed under the creative commons attribution license:
Hanno Boeck, 2007-07-12, http://www.hboeck.de