[opencms-dev] OpenCms (7.5.0) - Vulnerability: Cross-Site Scripting, Phishing Through Frames, Application Error

[Manfred Schenk]

Alexander Kandzior schrieb:
> Hi all,
> 
> regarding that reported security issues:
> 
>>> I found the following issue about OpenCms (7.5.0) - Vulnerability:
>>> Cross-Site Scripting, Phishing Through Frames, Application Error:
>>>
>>> http://www.securityfocus.com/archive/1/505547
> 
>> I just tried the examples given in the article above on my 7.5.0
>> installation and could not reproduce the mentioned results in the case
>> if I'm not logged into the workplace.
>> If I'm logged in and then enter the URL from the example I can reproduce
>> it with 7.5.0
> 
> We will certainly address and fix these issues in an upcoming 7.5.1 release.

Okay, this sounds okay. By the way, I haven't found an up-to-date
roadmap on the website - are there any informations about upcoming
releases available in public?


Some weeks ago (I think it was short after the release of 7.5) there
were some discussions about security issues of the image-scaling
functionality. Are they already fixed or will they be fixed together
with the current issue?

> 
> 
> Please note that the security risk of these issues is rather low, since it
> can only be exploited by a user that already has a workplace login. Now
> since this usually is a very small group of people, the risk of this issue
> being actually exploited is quite small.
> 
> Again, we take these issue seriously and will provide a fix in the future.
> However, we don't feel we have to rush a release because of that.

Would it be possible to post a message to this list as soon as these
issues are fixed in the cvs so that "experienced" users could integrate
it into their running systems without waiting for the release.

Regards,
Manfred


-- 
| Manfred Schenk              | born between RFC638 and RFC640
| PGP-Keys unter              |
| http://www.ZEROByte.de/pgp/ | WWW: http://www.ZEROByte.de/