Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: b06-2887.htm

OpenCMS<= 6.2.1 - XSS



OpenCMS<= 6.2.1 - XSS
OpenCMS<= 6.2.1 - XSS



[MajorSecurity #11]OpenCMS<= 6.2.1 - XSS=0D
------------------------------------------=0D
=0D
Software: OpenCMS=0D
=0D
Version: <=6.2.1=0D
=0D
Type: Cross site scripting=0D
=0D
Date: June, 10th 2006=0D
=0D
Vendor: Alkacon Software GmbH  =0D
=0D
Page: http://www.alkacon.com=0D 
http://www.opencms.org/opencms/en/=0D 
=0D
=0D
Credits:=0D
----------------------------=0D
=0D
Discovered by: David "Aesthetico" Vieira-Kurz=0D
http://www.majorsecurity.de=0D 
=0D
Original Advisory:=0D
----------------------------=0D
http://www.majorsecurity.de/advisory/major_rls11.txt=0D 
=0D
Affected Products:=0D
----------------------------=0D
=0D
OpenCMS 6.2.1 and prior=0D
=0D
Description:=0D
----------------------------=0D
=0D
OpenCms is a professional level Open Source Website Content Management System.=0D
=0D
Requirements:=0D
----------------------------=0D
=0D
register_globals = On=0D
=0D
Vulnerability:=0D
----------------------------=0D
=0D
Input passed to the search inputbox/query is not properly verified.=0D
This can be exploited to accomplish cross site sctipting attacks.=0D
=0D
=0D
Solution:=0D
----------------------------=0D
Edit the source code to ensure that input is properly sanitised.=0D
You should work with "htmlspecialchars()" or "strip_tags()" php-function to ensure that html tags=0D
are not going to be executed.=0D
=0D
Example:=0D
=0D
=0D
Set "register_globals" to "Off".=0D
=0D
Exploitation:=0D
---------------------------=0D
Goto the search query/inputbox and type in following line as searchword:=0D
=0D
=0D
=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH