Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

Enterprise TimeSheet and Payroll (EPS) <= v.1.1 Remote File Include Vulnerability

MailEnable Enterprise Edition ASP Version <= 2.0

phpOnDirectory (CONST_INCLUDE_RO OT) <= v.1.0 Remote File Include Vulnerability

aePartner (dir[data]) <= v.0.8.3 Remote File Include Vulnerability

From:	Aesthetico <admin_(at)_majorsecurity.de>
Date:	11.06.2006
Subject:	[MajorSecurity #11]OpenCMS<= 6.2.1 - XSS

[MajorSecurity #11]OpenCMS<= 6.2.1 - XSS
------------------------------------------

Software: OpenCMS

Version: <=6.2.1

Type: Cross site scripting

Date: June, 10th 2006

Vendor: Alkacon Software GmbH  

Page: http://www.alkacon.com
     http://www.opencms.org/opencms/en/


Credits:
----------------------------

Discovered by: David "Aesthetico" Vieira-Kurz
http://www.majorsecurity.de

Original Advisory:
----------------------------
http://www.majorsecurity.de/advisory/major_rls11.txt

Affected Products:
----------------------------

OpenCMS 6.2.1 and prior

Description:
----------------------------

OpenCms is a professional level Open Source Website Content Management System.

Requirements:
----------------------------

register_globals = On

Vulnerability:
----------------------------

Input passed to the search inputbox/query is not properly verified.
This can be exploited to accomplish cross site sctipting attacks.


Solution:
----------------------------
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "strip_tags()" php-function to ensure that html tags
are not going to be executed.

Example:
<?php
 echo htmlspecialchars("<script");
?>

Set "register_globals" to "Off".

Exploitation:
---------------------------
Goto the search query/inputbox and type in following line as searchword:

<script>alert("MajorSecurity")</script>