Type packetstorm
Reporter Hanno Boeck
Modified 2007-07-13T00:00:00


Cross site scripting and information disclosure in gobi/helma  
security advisory  
Cross site scripting describes attacks that allow to insert malicious  
html or javascript code via get or post forms. This can be used to steal  
session cookies.  
helma is a javascript-based application server, gobi is a cms  
based on helma. It's used on some popular pages, e. g. the ORF.  
The search-function can be used to inject javascript code.  
It will cause an information disclosure about the system path of helma  
if filled with invalid chars.  
There's no vendor fix. All input strings in web applications should be  
escaped properly and error messages containing paths should be suppressed  
on live installations.  
Vendor has been contacted 2007-04-12 and hasn't answered yet.  
Sample injection URLs:<script>alert(1)</script><script>alert(1)</script>"><script>alert(1)</script>  
Sample information disclosure URLs:""  
CVE Information:  
The Common Vulnerabilities and Exposures (CVE) project has assigned the  
name CVE-2007-3693 to this issue. This is a candidate for inclusion in  
the CVE list (, which standardizes names for  
security problems.  
Credits and copyright:  
This vulnerability was discovered by Hanno Boeck of  
It's licensed under the creative commons attribution license:  
Hanno Boeck, 2007-07-12,