Computer Security

Security Advisory: OpenCms version 6.0.x Xml Content Demo search engine Cross site scripting
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  [SA20165] FrontRange iHEAT Host System Access Vulnerability

  Diesel Joke Site SQL INJECTION

  YLZH(right.
php)Cross Site Scripting

  Mambo <= 4.6. RC1 xss

From:jaime.blasco_(at)_eazel.es <jaime.blasco_(at)_eazel.es>
Date:25.05.2006
Subject:OpenCms version 6.0.x Xml Content Demo search engine Cross site scripting

Version: Tested on:
         - 6.0.0
         - 6.0.2
         - 6.0.3

Discovered by: jaime.blasco(at)eazel(dot).es
http://www.eazel.es

Description:    
Input passed to the search query in the Xml Content Demo search engine isn't properly sanitised. This can be
exploited to conduct cross-site scripting attacks.
Example:

http://host/opencms/opencms/system/modules/org.opencms.frontend.
templateone/pages/search.
html?action=search&query=%22%3E%3Cscript%3Ealert%28'w
ww.eazel.es'%29%3C%2Fscript%3E%3C!-
&index=Online+project+%28VFS%29&page=1&uri=%2Fxmlcontentd
emo%2Fside_element_demo.
html&__locale=en&query2=%3Cscript%3Ealert%28a%29%3C%
2Fscript%3E

Original advisory:
http://www.eazel.es/media/advisory002-OpenCms-Xml-Content-Demo-search-engine-Cros
s-site-scripting.html
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru
test server