[opencms-dev] OpenCms security advisory?

Christoph P. Kukulies kuku at physik.rwth-aachen.de
Fri Jul 28 15:49:04 CEST 2006


Do I understand it right: These vulnerabilities all require that
the accessing client has to authorize as a workplace or web user?

I tested the "get /etc/passwd"-test against my 6.0.4 site running 
debian linux and indeed could fetch that file but it was required to
authorize first (the OpenCms login screen appeared).

Or should one better upgrade every (Internet exposed) site < 6.2.2 now?

--
Chris Christoph P. U. Kukulies kukulies (at) rwth-aachen.de

On Fri, Jul 28, 2006 at 12:33:05PM +0200, Bastian Ballmann wrote:
> 
> "OpenCms versions 6.2.1, 6.2, 6.0.3, 6.0.4 (possibly older versions too) are
> vulnerable to multiple access control and input validation vulnerabilities,
> which allow authenticated users to perform the following unauthrozied
> actions:
> 
> 
> http://packetstormsecurity.org/0607-exploits/OpenCMS_multiple_vulnerabilities.txt




More information about the opencms-dev mailing list