[opencms-dev] OpenCms security advisory?

Christian Steinert christian_steinert at web.de
Fri Jul 28 13:07:49 CEST 2006 

Bastian Ballmann schrieb:
> Hello,
> 
> I cannot find a note about this advisory on the mailinglist, so I'll
> send it to you.
> 
> "OpenCms versions 6.2.1, 6.2, 6.0.3, 6.0.4 (possibly older versions too) are
> vulnerable to multiple access control and input validation vulnerabilities,
> which allow authenticated users to perform the following unauthrozied
> actions:
> 
> * View and download application's log file;
> * Download arbitrary files from the system;
> * View sources of JSP files (provided they are locked by some other user);
> * Add webusers;
> * Upload new OpenCms modules;
> * Overwrite existing OpenCms modules;
> * Upload database import/export files;
> * Overwrite existing database import/export files;
> * Send broadcast messages to all users;
> * Send JavaScript to any user (XSS);
> * Obtain list of all users and groups"
> 
> http://packetstormsecurity.org/0607-exploits/OpenCMS_multiple_vulnerabilities.txt
> 
> That issues were fixed by Alkacon in release 6.2.2, but unfortunately I
> cannot find any advice that it's important to upgrade to 6.2.2.
> 
> The release note from Alkacon only told "No important new features have
> been added since the 6.2.1 version.".
> 
> Regards
> 
> Bastian Ballmann
> --

Dear Basian,

thanks for sharing this. Indeed it's strange that the release notes do
not contain at least a reference to that advisory.

The risk is reduced significantly by the fact that a workplace user is
required to exploit these vulnerabilities:
  "Most of the access control vulnerabilities mentioned above can be
exploited by accessing the URL that provides the functionality, while
logged in as unprivileged user(member of Users group)."

But still it would be more than warranted to announce the existence of
these vulnerabilities and advise people to upgrade.

Especially because the errors where addressed by releasing a new version
in only slightly more than a week, being open about this issue could
have lead to a feeling of *more* confidence. Like this it feels more as
if it's being covered up.

Christian


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3269 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20060728/8b1e55d7/attachment.bin>

More information about the opencms-dev mailing list