[opencms-dev] OpenCms security advisory?

Alexander Kandzior alex at opencms.org
Fri Jul 28 13:47:29 CEST 2006 

> thanks for sharing this. Indeed it's strange that the release notes do
> not contain at least a reference to that advisory.

But they do:

* Fixed issue #1190: Multiple access control and input validation 
                     vulnerabilities

Bug #1190 is exactly the vulnerability report mentioned, please see
http://www.opencms.org/bugzilla/show_bug.cgi?id=1190.

Kind Regards,
Alex.

-------------------
Alexander Kandzior
                                                               
Alkacon Software GmbH  - The OpenCms Experts                        
http://www.alkacon.com - http://www.opencms.org               
 

> -----Original Message-----
> From: opencms-dev-bounces at opencms.org 
> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of 
> Christian Steinert
> Sent: Friday, July 28, 2006 1:08 PM
> To: The OpenCms mailing list
> Subject: Re: [opencms-dev] OpenCms security advisory?
> 
> Bastian Ballmann schrieb:
> > Hello,
> > 
> > I cannot find a note about this advisory on the mailinglist, so I'll
> > send it to you.
> > 
> > "OpenCms versions 6.2.1, 6.2, 6.0.3, 6.0.4 (possibly older 
> versions too) are
> > vulnerable to multiple access control and input validation 
> vulnerabilities,
> > which allow authenticated users to perform the following 
> unauthrozied
> > actions:
> > 
> > * View and download application's log file;
> > * Download arbitrary files from the system;
> > * View sources of JSP files (provided they are locked by 
> some other user);
> > * Add webusers;
> > * Upload new OpenCms modules;
> > * Overwrite existing OpenCms modules;
> > * Upload database import/export files;
> > * Overwrite existing database import/export files;
> > * Send broadcast messages to all users;
> > * Send JavaScript to any user (XSS);
> > * Obtain list of all users and groups"
> > 
> > 
> http://packetstormsecurity.org/0607-exploits/OpenCMS_multiple_
> vulnerabilities.txt
> > 
> > That issues were fixed by Alkacon in release 6.2.2, but 
> unfortunately I
> > cannot find any advice that it's important to upgrade to 6.2.2.
> > 
> > The release note from Alkacon only told "No important new 
> features have
> > been added since the 6.2.1 version.".
> > 
> > Regards
> > 
> > Bastian Ballmann
> > --
> 
> Dear Basian,
> 
> thanks for sharing this. Indeed it's strange that the release notes do
> not contain at least a reference to that advisory.
> 
> The risk is reduced significantly by the fact that a workplace user is
> required to exploit these vulnerabilities:
>   "Most of the access control vulnerabilities mentioned above can be
> exploited by accessing the URL that provides the functionality, while
> logged in as unprivileged user(member of Users group)."
> 
> But still it would be more than warranted to announce the existence of
> these vulnerabilities and advise people to upgrade.
> 
> Especially because the errors where addressed by releasing a 
> new version
> in only slightly more than a week, being open about this issue could
> have lead to a feeling of *more* confidence. Like this it 
> feels more as
> if it's being covered up.
> 
> Christian
> 
> 
>

More information about the opencms-dev mailing list