Cross site scripting and information disclosure in gobi/helmaWednesday, 5 December 2007Cross site scripting and information disclosure in gobi/helma
security advisory
References: http://gobi.helma.org/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3693
Description: Cross site scripting describes attacks that allow to insert malicious html or javascript code via get or post forms. This can be used to steal session cookies. helma is a javascript-based application server, gobi is a cms based on helma. It's used on some popular pages, e. g. the ORF. The search-function can be used to inject javascript code. It will cause an information disclosure about the system path of helma if filled with invalid chars.
Workaround/Fix: There's no vendor fix. All input strings in web applications should be escaped properly and error messages containing paths should be suppressed on live installations. Vendor has been contacted 2007-04-12 and hasn't answered yet.
Sample injection URLs: http://gobi.helma.org/search/?q=<script>alert(1)</script> http://dev.helma.org/search/?q=<script>alert(1)</script> http://tv.orf.at/search?keyword="><script>alert(1)</script>
Sample information disclosure URLs: http://gobi.helma.org/search/?q=" http://dev.helma.org/search/?q="
CVE Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-3693 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
Credits and copyright: This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting, http://www.schokokeks.org It's licensed under the creative commons attribution license: http://creativecommons.org/licenses/by/3.0/
Hanno Boeck, 2007-07-12, http://www.hboeck.de
Share this content:
|