<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:v = "urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18854">
<STYLE>@font-face {
font-family: Calibri;
}
@page WordSection1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"; FONT-SIZE: 11pt
}
LI.MsoNormal {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"; FONT-SIZE: 11pt
}
DIV.MsoNormal {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"; FONT-SIZE: 11pt
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
PRE {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Courier New"; FONT-SIZE: 10pt; mso-style-priority: 99; mso-style-link: "HTML Preformatted Char"
}
SPAN.HTMLPreformattedChar {
FONT-FAMILY: "Courier New"; mso-style-priority: 99; mso-style-link: "HTML Preformatted"; mso-style-name: "HTML Preformatted Char"
}
SPAN.EmailStyle19 {
FONT-FAMILY: "Calibri","sans-serif"; COLOR: windowtext; mso-style-type: personal
}
SPAN.snip {
mso-style-name: snip
}
SPAN.EmailStyle21 {
FONT-FAMILY: "Calibri","sans-serif"; COLOR: #1f497d; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.WordSection1 {
page: WordSection1
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US link=blue vLink=purple>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=新細明體><SPAN
class=061151302-29112011>Hello,</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff size=2 face=新細明體></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=新細明體><SPAN class=061151302-29112011>On
publishing a file. all the cache will be cleared. Is there a way that it only
clear the cache of the published files?</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=新細明體><SPAN
class=061151302-29112011></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=新細明體><SPAN
class=061151302-29112011></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=新細明體><SPAN
class=061151302-29112011>Thanks</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=新細明體><SPAN
class=061151302-29112011>Vince</SPAN></FONT></DIV>
<DIV><BR></DIV>
<DIV dir=ltr lang=zh-tw class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> opencms-dev-bounces@opencms.org
[mailto:opencms-dev-bounces@opencms.org] <B>On Behalf Of </B>Alexandru
Gyori<BR><B>Sent:</B> Tuesday, November 29, 2011 4:30 AM<BR><B>To:</B>
opencms-dev@opencms.org<BR><B>Subject:</B> [opencms-dev] Security
issue<BR><B>Importance:</B> High<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=WordSection1>
<P class=MsoNormal>Hello,<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>I’d like to report a security vulnerability of
OpenCMS.<o:p></o:p></P>
<P class=MsoNormal>I have downloaded the OpenCMS_8.0.3 sources; this
vulnerability is present in the current svn source files.<o:p></o:p></P>
<P class=MsoNormal>In org.opencms.i18n.CmsEncoder you have the
method:<o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style="COLOR: #17375e; mso-style-textfill-fill-color: #17375E; mso-style-textfill-fill-alpha: 100.0%">/**<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #17375e; mso-style-textfill-fill-color: #17375E; mso-style-textfill-fill-alpha: 100.0%">
* A simple method to avoid injection.<p><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #17375e; mso-style-textfill-fill-color: #17375E; mso-style-textfill-fill-alpha: 100.0%">
* <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #17375e; mso-style-textfill-fill-color: #17375E; mso-style-textfill-fill-alpha: 100.0%"> *
Replaces all single quotes to double single quotes in the value parameter of the
SQL statement.<p> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #17375e; mso-style-textfill-fill-color: #17375E; mso-style-textfill-fill-alpha: 100.0%"> *
<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #17375e; mso-style-textfill-fill-color: #17375E; mso-style-textfill-fill-alpha: 100.0%"> *
@param source the String to escape SQL from<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #17375e; mso-style-textfill-fill-color: #17375E; mso-style-textfill-fill-alpha: 100.0%">
* @return the escaped value of the parameter source<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #17375e; mso-style-textfill-fill-color: #17375E; mso-style-textfill-fill-alpha: 100.0%">
*/<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #17375e; mso-style-textfill-fill-color: #17375E; mso-style-textfill-fill-alpha: 100.0%">
public static String escapeSql(String source) {<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #17375e; mso-style-textfill-fill-color: #17375E; mso-style-textfill-fill-alpha: 100.0%"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #17375e; mso-style-textfill-fill-color: #17375E; mso-style-textfill-fill-alpha: 100.0%">
return source.replaceAll("'", "''");<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #17375e; mso-style-textfill-fill-color: #17375E; mso-style-textfill-fill-alpha: 100.0%">
}<o:p></o:p></SPAN></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>This method is unsafe and vulnerable as you can find out by
reading: <A
href="http://www.unixwiz.net/techtips/sql-injection.html">http://www.unixwiz.net/techtips/sql-injection.html</A><o:p></o:p></P>
<P class=MsoNormal>The before mentioned method does not properly sanitize
sql.<o:p></o:p></P>
<P class=MsoNormal>The point of interest is:<o:p></o:p></P>
<P class=MsoNormal><SPAN style="COLOR: red">“<o:p></o:p></SPAN></P>
<P style="MARGIN-LEFT: 0.5in" class=MsoNormal><SPAN
style="FONT-FAMILY: 'Times New Roman','serif'; COLOR: red; FONT-SIZE: 12pt">However,
this naïve approach can be beaten because most databases support other string
escape mechanisms. MySQL, for instance, also permits <B>\'</B> to escape a
quote, so after input of \'; DROP TABLE users; -- is "protected" by doubling the
quotes, we get: <o:p></o:p></SPAN></P>
<P style="MARGIN-LEFT: 0.5in" class=MsoNormal><SPAN
style="FONT-FAMILY: 'Courier New'; COLOR: red; FONT-SIZE: 10pt">SELECT
<I>fieldlist</I><o:p></o:p></SPAN></P>
<P style="MARGIN-LEFT: 0.5in" class=MsoNormal><SPAN
style="FONT-FAMILY: 'Courier New'; COLOR: red; FONT-SIZE: 10pt"> FROM
customers<o:p></o:p></SPAN></P>
<P style="MARGIN-LEFT: 0.5in" class=MsoNormal><SPAN
style="FONT-FAMILY: 'Courier New'; COLOR: red; FONT-SIZE: 10pt">WHERE name =
'\''; DROP TABLE users; --'; -- Boom!<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Courier New'; COLOR: red; FONT-SIZE: 10pt">
“</SPAN><SPAN
style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 10pt"><o:p></o:p></SPAN></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Hope you’ll fix this soon. Good luck<SPAN
style="COLOR: #1f497d">!</SPAN><o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Regards,<o:p></o:p></P>
<P class=MsoNormal>Alexandru GYORI<o:p></o:p></P>
<P class=MsoNormal>Junior researcher IEAT<o:p></o:p></P></DIV></BODY></HTML>