OpenCMS OAMP Comments Module 1.0.0 XSS

#######################################################################
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#######################################################################
#
# CVE ID : CVE-2009-4505
# Product: OpenCMS OAMP Comments Module 1.0.0
# Vendor:  Open Source, Alkacon GmbH (Cologne, Germany)
# Subject: Cross-site scripting (XSS)
# Risk:    High
# Effect:  Remotely exploitable
# Author:  Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date:    December 24th 2009
#
#######################################################################

Introduction:
-------------
Cyrill Brunschwiler of Compass Security discovered a web application
security flaw in the OpenCMS OAMP comments module.

Vulnerable:
-----------
OAMP comments module version 1.0.0

Patches:
--------
Get the latest version from the opencms cvs at http://cvs.opencms.org/

Fix:
----
All output must be encoded using HTML entities. For that purpose the
escapeXml attribute must not being set false on all c:out tags. Moreover,
all fmt:param outputs must be encoded as well.

Example:

 

Alternatively one could use the OWASP ESAPI (Enterprise Security API) to
encode all output. For more details on the OWASP ESAPI consult the google
code repository and see http://www.owasp.org/index.php/ESAPI 

Example:
String clean = ESAPI.encoder().encodeForHTML(maliciousInput);

Description:
------------
The OAMP comments module allows OpenCMS users to add comments to pages.
However, the comment module reflects unfiltered user input. Following
that, attackers could injected HTML code and JavaScript code which gets
executed within all visitors web browsers. 

Exploiting the vulnerability will lead to so-called cross-site scripting
(XSS) and allows the impersonation of logged-in OpenCMS web and workplace
users. Attackers could also embbed arbitrary content such as faked login
forms or redirect OpenCMS users to malware pages.

Milestones:
-----------
December 24th 2009, Vulnerability discovered
January 6th 2010, Vendor notified
March 13rd 2010, Fixed in CVS (m.jaeger)

References:
-----------
OpenCMS - http://www.opencms.org/en/

OpenCms from Alkacon Software is a professional, easy to use website
content management system. OpenCms helps content managers worldwide to
create and maintain beautiful websites fast and efficiently.

OpenCMS OAMP Modules - http://www.alkacon.com/en/products/oamp/index.html

The Alkacon OpenCms Add-On Module Package (also called OAMP) is a set of
free, open source extension modules for OpenCms. Alkacon OAMP adds front-
end related features to OpenCms that may be useful in case special
functionalities are required.

XSS - http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web
sites. Cross-site scripting (XSS) attacks occur when an attacker uses a
web application to send malicious code, generally in the form of a browser
side script, to a different end user. Flaws that allow these attacks to
succeed are quite widespread and occur anywhere a web application uses
input from a user in the output it generates without validating or
encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting
user. The end user’s browser has no way to know that the script should not
be trusted, and will execute the script. Because it thinks the script came
from a trusted source, the malicious script can access any cookies,
session tokens, or other sensitive information retained by your browser
and used with that site. These scripts can even rewrite the content of the
HTML page.
Advertisement

DokuWiki Version 2007-06-26 XSS

#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#############################################################
#
# CVE ID : CVE-2007-3930
# Product: DokuWiki
# Vendor:  DokuWiki Project
# Subject: Cross-site scripting - XSS
# Risk:    High
# Effect:  Remotely exploitable
# Author:  Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date:    July 19th 2007
#
#############################################################

Introduction:
-------------
Compass Security discovered a web application security flaw in the DokuWiki application.

Vulnerable:
-----------
DokuWiki Version 2007-06-26 and prior

Not vulnerable:
---------------
DokuWiki Version 2007-06-26b

Patches:
--------
DokuWiki Version 2007-06-26b available from the DokuWiki download page.

Fix:
----
Remove the function spell_utf8test() from the PHP script named lib/exe/spellcheck.php

Description:
------------
The spell checker PHP script provides a test function which reflects unfiltered user input. Due to Microsoft's Internet Explorer mime-sniffing feature, injected JavaScript code gets executed even though the Content-Header is set to text/plain. 

Exploting the vulnerability will lead to so-called cross-site scripting (XSS) and allows the impersonation of logged-in DokuWiki users.

Milestones:
-----------
July 18th, Vulnerability discovered
July 18th, Vendor notified
July 19th, Vendor provided patched version

References:
-----------
Vendor Bug Report reference:
http://bugs.splitbrain.org/index.php?do=details&task_id=1195

DokuWiki reference:
http://wiki.splitbrain.org/wiki:dokuwiki

DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating documentation of any kind. It is targeted at developer teams, workgroups and small companies. It has a simple but powerful syntax which makes sure the datafiles remain readable outside the Wiki and eases the creation of structured texts. All data is stored in plain text files – no database is required.

XSS reference:
http://en.wikipedia.org/wiki/Cross-site_scripting

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued.

SAP NetWeaver, Web Dynpro Java (BC-WD-JAV) multiple XSS

#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#
#############################################################
#
# Product: NetWeaver, Web Dynpro Java (BC-WD-JAV)
# Vendor: SAP
# Subject: Multiple XSS, HTML Injection
# Risk: Medium
# Effect: Remotely exploitable
# Author: Cyrill Brunschwiler (cyrill.brunschwiler (at) csnc (dot) ch
# Date: June, 17th 2007
#
#############################################################

Introduction:
-------------
Compass Security discovered a web application security flaw (XSS) in the
SAP Web Dynpro Java (BC-WD-JAV) running in either the testing or
development mode.

Vulnerable:
-----------
SAP NetWeaver Nw04 SP15 to SP 19
SAP NetWeaver Nw04s SP7 to SP 11

Not vulnerable:
---------------
Customers which run their system in production mode.

SAP Java Technology Services 640 SP20
SAP Web Dynpro Runtime Core Components 700 SP12

Vulnerability Management:
-------------------------
January 2007: Vulnerability found
January 2007: SAP Security notified
February 2007: SAP confirmation
April/May 2007: Patches available
June 2007: Compass Security Information

SAP Information Policy:
-------------------------
The information is available to registered SAP clients only (SAP
Security Notes)

Patches:
--------
Apply the latest Web Dynpro patch according to the related notes. (See
SAP Note No. 1045640, 946608).

Description
-----------
The NetWeaver Application includes the User-Agent-Header content in the
server response body without applying proper encoding. Exploiting the
vulnerability will require an attacker to spoof the User-Agent-Header.
Abusing technologies such as JavaScript or Flash will allow conducting
such an attack.

XSS Ref: http://en.wikipedia.org/wiki/Cross-site_scripting

Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in web applications which allow code injection by
malicious web users into the web pages viewed by other users. Examples
of such code include HTML code and client-side scripts. An exploited
cross-site scripting vulnerability can be used by attackers to bypass
access controls such as the same origin policy. Recently,
vulnerabilities of this kind have been exploited to craft powerful
phishing attacks and browser exploits. Cross-site scripting was
originally referred to as CSS, although this usage has been largely
discontinued.

SAP Internet Communication Framework (BC-MID-ICF) multiple XSS

#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#
#############################################################
#
# Product: Internet Communication Framework (BC-MID-ICF)
# Vendor: SAP
# Subject: Multiple XSS, HTML Injection
# Risk: High
# Effect: Remotely exploitable
# Author: Cyrill Brunschwiler (cyrill.brunschwiler (at) csnc (dot) ch
# Date: June, 17th 2007
#
#############################################################

Introduction:
-------------
Compass Security discovered multiple web application security flaws in
the SAP Internet Communication Framework (BC-MID-ICF).

Vulnerable:
-----------
SAP Basis component 640 SP19 and lower
SAP Basis component 700 SP11 and lower

Not vulnerable:
---------------
Customers which registered a customized login error page for SIFC
transactions (e.g. for default_host) may not suffer this vulnerability.

SAP Basis component 640 SP20
SAP Basis component 700 SP12

Vulnerability Management:
-------------------------
October 2006: Vulnerability found
October 2006: SAP Security notified
November 2007: SAP confirmation
April/May 2007: Patches available
June 2007: Compass Security Information

SAP Information Policy:
-------------------------
The information is available to registered SAP clients only (SAP
Security Notes)

Patches:
--------
Available at SAP (See SAP Note No. 1022102).

Description
-----------
The default login error page reflects unfiltered user input for multiple
fields. Exploting the vulnerability will lead to so-called cross-site
scripting (XSS).

XSS Ref: http://en.wikipedia.org/wiki/Cross-site_scripting

Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in web applications which allow code injection by
malicious web users into the web pages viewed by other users. Examples
of such code include HTML code and client-side scripts. An exploited
cross-site scripting vulnerability can be used by attackers to bypass
access controls such as the same origin policy. Recently,
vulnerabilities of this kind have been exploited to craft powerful
phishing attacks and browser exploits. Cross-site scripting was
originally referred to as CSS, although this usage has been largely
discontinued.