[opencms-dev] OpenCms security advisory?

Christian Steinert christian_steinert at web.de
Fri Jul 28 16:31:54 CEST 2006


Christoph P. Kukulies schrieb:
> Do I understand it right: These vulnerabilities all require that
> the accessing client has to authorize as a workplace or web user?
> 
> I tested the "get /etc/passwd"-test against my 6.0.4 site running 
> debian linux and indeed could fetch that file but it was required to
> authorize first (the OpenCms login screen appeared).
> 
> Or should one better upgrade every (Internet exposed) site < 6.2.2 now?
> 

P.S. but of course it's still a good idea to update.
When systems are attacked, then a attacker might combine several ways of
getting extended access to the system.


The possibility that a legal user could try to use these vulnerabilities
 in order to get more permissions is probably not so much of an issue.

But if somebody would find a new and unknown way to access workplace
functionality without logging in, then they could suddently do lots of
nasty things by exploiting the issues that are mentioned here.

Therefore it's still a good idea to guard against such vulnerabilities,
even if there are no known real-world scenarios of how they would damage
you.

Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3269 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20060728/2c6b5863/attachment.bin>


More information about the opencms-dev mailing list