[opencms-dev] OpenCms security advisory?

Fri Jul 28 12:33:05 CEST 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I cannot find a note about this advisory on the mailinglist, so I'll
send it to you.

"OpenCms versions 6.2.1, 6.2, 6.0.3, 6.0.4 (possibly older versions too) are
vulnerable to multiple access control and input validation vulnerabilities,
which allow authenticated users to perform the following unauthrozied
actions:

* View and download application's log file;
* Download arbitrary files from the system;
* View sources of JSP files (provided they are locked by some other user);
* Add webusers;
* Upload new OpenCms modules;
* Overwrite existing OpenCms modules;
* Upload database import/export files;
* Overwrite existing database import/export files;
* Send broadcast messages to all users;
* Send JavaScript to any user (XSS);
* Obtain list of all users and groups"

http://packetstormsecurity.org/0607-exploits/OpenCMS_multiple_vulnerabilities.txt

That issues were fixed by Alkacon in release 6.2.2, but unfortunately I
cannot find any advice that it's important to upgrade to 6.2.2.

The release note from Alkacon only told "No important new features have
been added since the 6.2.1 version.".

Regards

Bastian Ballmann
- --
- ----------------------------------
 wilhelm innovative medien gmbh
- ----------------------------------
 Treppenstraße 17
 42115  Wuppertal
 Tel.   0202 - 37 14 6-0
 Fax    0202 - 37 14 6-16
 eMail: wuppertal at wiminno.com
- ----------------------------------
 Kollwitzstraße 66
 10435  Berlin
 Tel.   030 - 42 08 07-0
 Fax    030 - 42 08 07-16
 eMail: berlin at wiminno.com
- ----------------------------------
 web:   http://www.wiminno.com
 Geschäftsführer: Jens Wilhelm
 HRB 10018 - Amtsgericht Wuppertal
- ----------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFEyefh9hQySR6QNdYRArYjAJ4nt+jRwCYcdgOjcXkl/bKMb1IojQCeLz8W
+8BQRkimdmJ6bSB3uXQgBpo=
=X7Hb
-----END PGP SIGNATURE-----