NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2007-07

[Full-disclosure] CVE-2007-3693: Cross site scripting and information disclosure in gobi/helma

From: Hanno Böck (mailhboeck.de)
Date: Wed Jul 11 2007 - 17:44:29 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://int21.de/cve/CVE-2007-3693-gobi.txt

Cross site scripting and information disclosure in gobi/helma

security advisory

References:
http://gobi.helma.org/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3693

Description:
Cross site scripting describes attacks that allow to insert malicious
html or javascript code via get or post forms. This can be used to steal
session cookies.
helma is a javascript-based application server, gobi is a cms
based on helma. It's used on some popular pages, e. g. the ORF.
The search-function can be used to inject javascript code.
It will cause an information disclosure about the system path of helma
if filled with invalid chars.

Workaround/Fix:
There's no vendor fix. All input strings in web applications should be
escaped properly and error messages containing paths should be suppressed
on live installations.
Vendor has been contacted 2007-04-12 and hasn't answered yet.

Sample injection URLs:
http://gobi.helma.org/search/?q=<script>alert(1)</script>
http://dev.helma.org/search/?q=<script>alert(1)</script>
http://tv.orf.at/search?keyword="><script>alert(1)</script>

Sample information disclosure URLs:
http://gobi.helma.org/search/?q="
http://dev.helma.org/search/?q="

CVE Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-3693 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

Credits and copyright:
This vulnerability was discovered by Hanno Boeck of schokokeks.org
webhosting, http://www.schokokeks.org
It's licensed under the creative commons attribution license:
http://creativecommons.org/licenses/by/3.0/

Hanno Boeck, 2007-07-12, http://www.hboeck.de

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.5 (GNU/Linux)

iD8DBQBGlV1Qr2QksT29OyARAiOJAJ92btGZbltsw9ERHY9H2C//4ZG1agCfdxaK
cnZbYduxDEzNDv8iD9xvWs8=
=DLFj
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]