OpenCMS OAMP Comments Module 1.0.0 XSS

#######################################################################
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#######################################################################
#
# CVE ID : CVE-2009-4505
# Product: OpenCMS OAMP Comments Module 1.0.0
# Vendor:  Open Source, Alkacon GmbH (Cologne, Germany)
# Subject: Cross-site scripting (XSS)
# Risk:    High
# Effect:  Remotely exploitable
# Author:  Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date:    December 24th 2009
#
#######################################################################

Introduction:
-------------
Cyrill Brunschwiler of Compass Security discovered a web application
security flaw in the OpenCMS OAMP comments module.

Vulnerable:
-----------
OAMP comments module version 1.0.0

Patches:
--------
Get the latest version from the opencms cvs at http://cvs.opencms.org/

Fix:
----
All output must be encoded using HTML entities. For that purpose the
escapeXml attribute must not being set false on all c:out tags. Moreover,
all fmt:param outputs must be encoded as well.

Example:

 

Alternatively one could use the OWASP ESAPI (Enterprise Security API) to
encode all output. For more details on the OWASP ESAPI consult the google
code repository and see http://www.owasp.org/index.php/ESAPI 

Example:
String clean = ESAPI.encoder().encodeForHTML(maliciousInput);

Description:
------------
The OAMP comments module allows OpenCMS users to add comments to pages.
However, the comment module reflects unfiltered user input. Following
that, attackers could injected HTML code and JavaScript code which gets
executed within all visitors web browsers. 

Exploiting the vulnerability will lead to so-called cross-site scripting
(XSS) and allows the impersonation of logged-in OpenCMS web and workplace
users. Attackers could also embbed arbitrary content such as faked login
forms or redirect OpenCMS users to malware pages.

Milestones:
-----------
December 24th 2009, Vulnerability discovered
January 6th 2010, Vendor notified
March 13rd 2010, Fixed in CVS (m.jaeger)

References:
-----------
OpenCMS - http://www.opencms.org/en/

OpenCms from Alkacon Software is a professional, easy to use website
content management system. OpenCms helps content managers worldwide to
create and maintain beautiful websites fast and efficiently.

OpenCMS OAMP Modules - http://www.alkacon.com/en/products/oamp/index.html

The Alkacon OpenCms Add-On Module Package (also called OAMP) is a set of
free, open source extension modules for OpenCms. Alkacon OAMP adds front-
end related features to OpenCms that may be useful in case special
functionalities are required.

XSS - http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web
sites. Cross-site scripting (XSS) attacks occur when an attacker uses a
web application to send malicious code, generally in the form of a browser
side script, to a different end user. Flaws that allow these attacks to
succeed are quite widespread and occur anywhere a web application uses
input from a user in the output it generates without validating or
encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting
user. The end user’s browser has no way to know that the script should not
be trusted, and will execute the script. Because it thinks the script came
from a trusted source, the malicious script can access any cookies,
session tokens, or other sensitive information retained by your browser
and used with that site. These scripts can even rewrite the content of the
HTML page.

OpenCMS 5.01 Session Fixation

Compass Security AG - Advisory August 25th, 2004

http://www.csnc.ch/

--------------------------------------------------------------------------

Application : OpenCMS
Component : core
Version : 5.01
Platforms : all
Vulnerability : session fixation
Risk : critical
Problem-Type : user, session, account hijacking

--------------------------------------------------------------------------

Content:

1) Introduction
2) Who is affected
3) Who is not affected
4) Bugfix
5) Additional papers

--------------------------------------------------------------------------

1) Introduction

Brunschwiler Cyrill discovered a session fixation problem in OpenCMS 5.01,
an Open Source Content Management System built on Java Servlet Technologie.
Since OpenCMS will not change the session identifier after a successfull
login, hackers may obtain valid session identifiers from the system which
later can be used to phish users accounts.

2) Who is affected:

Mainly OpenCMS deployments which run dynamic content and use the OpenCMS
login methods. The vulnerability does not affect the backoffice login. It
does only affect self programmed login procedures which use methods such as
cmso.loginWebUser(username, password);

3) Who is not affected:

OpenCMS deployments which do not take advantage of the OpenCMS built in login
methods and fully static exported sites.

4.a) Bugfix for version 5.01:

Because OpenCMS session andling is based on the servlet containers session
handling it does not take care of the login state but only of the application
state. This means that developers should force the servlet container to
change the session identifier in case of a login try because this will avoid
to authenticate sessions of phished users. To solve this issue simply
invalidate the containers session before a login statement.

--- snippet ---

session.invalidate();
cmso.loginWebUser(username, password);

---

4.b) Bugfix for further releases:

OpenCMS should automatically renew the session after a successfull login attempt.

5.a) Additional papers - German

http://www.csnc.ch/static/download/publications/SessionFixationVulnerablityV1.0.pdf http://www.securityinfo.ch/phising.html

5.b) Additional papers - English

http://www.acros.si/papers/session_fixation.pdf


http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.pdf

5.c) Additional papers - About Compass Security

http://www.csnc.ch/static/Compass_Profile_de.pdf