OpenCms (7.5.0) - Vulnerability: Cross-Site Scripting, Phishing Through Frames, Application Error

Application: OpenCms

Version: 7.5.0

Hardware: Tomcat/Oracle

Vulnerability: Cross-Site Scripting, Phishing Through Frames,
Application Error


Overview:

Various URLs within the deployed OpenCms application version 7.5.0 are
open to attacks, including Cross-Site Scripting, Phishing Through Frames
and Application Error.  Some of these attacks allow injection of scripts
into a parameter in the request.  The application should filter out such
hazardous characters from user input.

Example follows:
Vulnerable URL (from the OpenCms VFS):
/opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/
help_head.jsp?&homelink=>"><script>alert("This%20site%20has%20been%20co
mpromised")</script>

Results:
Insertion of the script into the homelink parameter successfully embeds
the script in the response and is executed once the page is loaded into
the users browser (i.e. vulnerable to Cross-Site Scripting)



Below find the complete list of vulnerable URLs (all paths are relative
to the OpenCms VFS).  All issues are of High risk.



/opencms/opencms/system/modules/org.opencms.workplace.help/elements/sear
ch.jsp

Remediation: Filter out hazardous characters from user input

Parameter(s): query

Vulnerability(s): Cross-Site Scripting



/opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/
help_head.jsp

Remediation: Filter out hazardous characters from user input

Parameter(s): homelink

Vulnerability(s): Cross-Site Scripting, Phishing Through Frames



/opencms/opencms/system/workplace/commons/preferences.jsp

Remediation: Verify that parameter values are in their expected ranges
and types. Do not output debugging error messages and exceptions

Parameter(s): tabdicopyfilemode, tabdicopyfoldermode,
tabdideletefilemode

Vulnerability(s): Application Error



/opencms/opencms/system/workplace/commons/property.jsp

Remediation: Filter out hazardous characters from user input

Parameter: resource

Vulnerability(s): Cross-Site Scripting



/opencms/opencms/system/workplace/commons/publishproject.jsp

Remediation: Filter out hazardous characters from user input

Parameter(s): title, cancel, dialogtype, framename, progresskey,
projected, projectname, publishsiblings, relatedresources, subresources

Vulnerability(s): Cross-Site Scripting, Phishing Through Frames, SQL
Injection



/opencms/opencms/system/workplace/commons/publishresource.jsp

Remediation: Filter out hazardous characters from user input

Parameter(s):

Vulnerability(s): Cross-Site Scripting



/opencms/opencms/system/workplace/commons/unlock.jsp

Remediation: Filter out hazardous characters from user input

Parameter(s): title

Vulnerability(s): Cross-Site Scripting, Phishing Through Frames



/opencms/opencms/system/workplace/editors/editor.jsp

Remediation: Filter out hazardous characters from user input

Parameter(s): resource

Vulnerability(s): Cross-Site Scripting



/opencms/opencms/system/workplace/editors/dialogs/elements.jsp

Remediation: Filter out hazardous characters from user input

Parameter(s): elementlanguage, resource, title

Vulnerability(s): Cross-Site Scripting, Phishing Through Frames



/opencms/opencms/system/workplace/locales/en/help/index.html

Remediation: Filter out hazardous characters from user input

Parameter(s): workplaceresource

Vulnerability(s): Phishing Through Frames



/opencms/opencms/system/workplace/views/admin/admin-main.jsp

Remediation: Filter out hazardous characters from user input

Parameter(s): path

Vulnerability(s): Cross-Site Scripting



/opencms/opencms/system/workplace/views/explorer/contextmenu.jsp

Remediation: Filter out hazardous characters from user input

Parameter(s): acttarget

Vulnerability(s): Cross-Site Scripting, Phishing Through Frames



/opencms/opencms/system/workplace/views/explorer/explorer_files.jsp

Remediation: Filter out hazardous characters from user input

Parameter(s): mode

Vulnerability(s): Cross-Site Scripting





Katie French

CGI Federal

12601 Fair Lakes Circle

Fairfax,VA 22033

FFX: (703) 227-5642

RRB: (202) 564-0475