[opencms-dev] OpenCms security advisory?
Christoph P. Kukulies
kuku at physik.rwth-aachen.de
Fri Jul 28 15:49:04 CEST 2006
Do I understand it right: These vulnerabilities all require that
the accessing client has to authorize as a workplace or web user?
I tested the "get /etc/passwd"-test against my 6.0.4 site running
debian linux and indeed could fetch that file but it was required to
authorize first (the OpenCms login screen appeared).
Or should one better upgrade every (Internet exposed) site < 6.2.2 now?
--
Chris Christoph P. U. Kukulies kukulies (at) rwth-aachen.de
On Fri, Jul 28, 2006 at 12:33:05PM +0200, Bastian Ballmann wrote:
>
> "OpenCms versions 6.2.1, 6.2, 6.0.3, 6.0.4 (possibly older versions too) are
> vulnerable to multiple access control and input validation vulnerabilities,
> which allow authenticated users to perform the following unauthrozied
> actions:
>
>
> http://packetstormsecurity.org/0607-exploits/OpenCMS_multiple_vulnerabilities.txt
More information about the opencms-dev
mailing list