Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Alkacon OpenCms tree_files.jsp resource XSS

from [nnposter] Network Security [Permanent Link]
Subject: Alkacon OpenCms tree_files.jsp resource XSS
Date: 24 Feb 2008 21:51:24 -0000 
Alkacon OpenCms tree_files.jsp resource XSS


Product: Alkacon OpenCms 
http://www.opencms.org/


OpenCms contains a cross-site scripting vulnerability in the file tree 
navigation function. An invalid value supplied to parameter resource in page 
opencms/system/workplace/views/explorer/tree_files.jsp is not sanitized before 
it gets embedded in the HTML output as part of a JavaScript comment.

Example:
http://(target)/opencms/opencms/system/workplace/views/explorer/tree_files.jsp?resource=+*/+alert(document.cookie);+/*+/


The vulnerability has been identified in version 7.0.3. However, other versions 
may be also affected.


Solution:
Users should not browse untrusted sites while logged into OpenCms.


Found by:
nnposter
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Alkacon OpenCms tree_files.jsp resource XSS, nnposter <=
Previous by Date:  Pigyard Art Gallery Multiple SQL Injection, No-Reply
Next by Date:  Packeteer Products File Listing XSS, nnposter
Previous by Thread:  Pigyard Art Gallery Multiple SQL Injection, No-Reply
Next by Thread:  Packeteer Products File Listing XSS, nnposter
Indexes:  [Date] [Thread] [Top] [All Lists]