[Full-disclosure] CVE-2007-3693: Cross site scripting and information disclosure in gobi/helma

From: "Hanno Böck" <mail@xxxxxxxxx>
Date: Thu, 12 Jul 2007 00:44:29 +0200

http://int21.de/cve/CVE-2007-3693-gobi.txt

Cross site scripting and information disclosure in gobi/helma

security advisory

References:
http://gobi.helma.org/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3693

Description:
Cross site scripting describes attacks that allow to insert malicious
html or javascript code via get or post forms. This can be used to steal
session cookies.
helma is a javascript-based application server, gobi is a cms
based on helma. It's used on some popular pages, e. g. the ORF.
The search-function can be used to inject javascript code.
It will cause an information disclosure about the system path of helma
if filled with invalid chars.

Workaround/Fix:
There's no vendor fix. All input strings in web applications should be
escaped properly and error messages containing paths should be suppressed
on live installations.
Vendor has been contacted 2007-04-12 and hasn't answered yet.

Sample injection URLs:
http://gobi.helma.org/search/?q=<script>alert(1)</script>
http://dev.helma.org/search/?q=<script>alert(1)</script>
http://tv.orf.at/search?keyword=";><script>alert(1)</script>

Sample information disclosure URLs:
http://gobi.helma.org/search/?q=";
http://dev.helma.org/search/?q=";

CVE Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-3693 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

Credits and copyright:
This vulnerability was discovered by Hanno Boeck of schokokeks.org
webhosting, http://www.schokokeks.org
It's licensed under the creative commons attribution license:
http://creativecommons.org/licenses/by/3.0/

Hanno Boeck, 2007-07-12, http://www.hboeck.de

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] TippingPoint IPS Signature Evasion
Next by Date: [Full-disclosure] rPSA-2007-0138-1 gimp
Previous by thread: [Full-disclosure] Updated versions of EFS and GPF
Next by thread: [Full-disclosure] rPSA-2007-0138-1 gimp
Index(es):
- Date
- Thread

Relevant Pages

[Full-disclosure] Cross site scripting in mephisto 0.7.3
... Cross site scripting describes attacks that allow to insert malicious ... html or javascript code via get or post forms. ... mephisto is a rails-based blog application. ...
(Full-Disclosure)
Cross site scripting in mephisto 0.7.3
... Cross site scripting describes attacks that allow to insert malicious ... html or javascript code via get or post forms. ... mephisto is a rails-based blog application. ...
(Bugtraq)
CVE-2007-1871: Cross site scripting in chcounter 3.1.3
... Cross site scripting describes attacks that allow to insert malicious ... chcounter is some free software php script for website statistics. ... login form on the start page can be used to insert javascript code. ...
(Bugtraq)
[Full-disclosure] CVE-2007-1871: Cross site scripting in chcounter 3.1.3
... Cross site scripting describes attacks that allow to insert malicious ... chcounter is some free software php script for website statistics. ... login form on the start page can be used to insert javascript code. ...
(Full-Disclosure)
[Full-disclosure] CVE-2007-1872: Cross site scripting in toendaCMS 1.5.3
... Cross site scripting describes attacks that allow to insert malicious ... html or javascript code via get or post forms. ... toendacms is a content management system. ...
(Full-Disclosure)