[opencms-dev] OpenCms security advisory?
Bastian Ballmann
bastian.ballmann at wiminno.com
Fri Jul 28 12:33:05 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I cannot find a note about this advisory on the mailinglist, so I'll
send it to you.
"OpenCms versions 6.2.1, 6.2, 6.0.3, 6.0.4 (possibly older versions too) are
vulnerable to multiple access control and input validation vulnerabilities,
which allow authenticated users to perform the following unauthrozied
actions:
* View and download application's log file;
* Download arbitrary files from the system;
* View sources of JSP files (provided they are locked by some other user);
* Add webusers;
* Upload new OpenCms modules;
* Overwrite existing OpenCms modules;
* Upload database import/export files;
* Overwrite existing database import/export files;
* Send broadcast messages to all users;
* Send JavaScript to any user (XSS);
* Obtain list of all users and groups"
http://packetstormsecurity.org/0607-exploits/OpenCMS_multiple_vulnerabilities.txt
That issues were fixed by Alkacon in release 6.2.2, but unfortunately I
cannot find any advice that it's important to upgrade to 6.2.2.
The release note from Alkacon only told "No important new features have
been added since the 6.2.1 version.".
Regards
Bastian Ballmann
- --
- ----------------------------------
wilhelm innovative medien gmbh
- ----------------------------------
Treppenstraße 17
42115 Wuppertal
Tel. 0202 - 37 14 6-0
Fax 0202 - 37 14 6-16
eMail: wuppertal at wiminno.com
- ----------------------------------
Kollwitzstraße 66
10435 Berlin
Tel. 030 - 42 08 07-0
Fax 030 - 42 08 07-16
eMail: berlin at wiminno.com
- ----------------------------------
web: http://www.wiminno.com
Geschäftsführer: Jens Wilhelm
HRB 10018 - Amtsgericht Wuppertal
- ----------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFEyefh9hQySR6QNdYRArYjAJ4nt+jRwCYcdgOjcXkl/bKMb1IojQCeLz8W
+8BQRkimdmJ6bSB3uXQgBpo=
=X7Hb
-----END PGP SIGNATURE-----
More information about the opencms-dev
mailing list