by r0t,der4444,cembo,VietMafia

Wednesday, December 21, 2005

OpenEdit XSS vuln.

OpenEdit XSS vuln.

Vuln. discovered by : r0t
Date: 21 dec. 2005
vendor:http://www.openedit.org
affected version:4.0 and prior

Product Description:

Developed in partnership with Web designers, OpenEdit offers a host of popular features. It includes easy online editing, sophisticated eCommerce, corporate blogging and dynamic layouts in an open source environment for flexible, advanced website development. OpenEdit President Christopher Burkey and a core team of expert Java architects have created OpenEdit by combining the best of existing Java frameworks.

Vuln. Description:

OpenEdit contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "page" "oe-action" paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:
/store/search/results.html?query=&department=&oe-action=[XSS]
/store/search/results.html?page=[XSS]

Solution:
Edit the source code to ensure that input is properly sanitised.

3 Comments:

Anonymous Anonymous told...

Hi There, I am the author of OpenEdit and I wanted to clarify. The page variable is just the page number. So it lets you jump from page 1 to page 100. If you pass in page -1 it will just generate an error. It is not a problem.
The oe-action is possible more concern but we check for a user being logged in on most dangerous actions. So this is not considered a security problem either.

7:29 PM

 
Anonymous Anonymous told...

Starting with today's OpenEdit core build 4.364 I have disabled oe-action as the default behavior. Users should upgrade and override the default error screen by adding this file to their site. Upgrading and adding an error page should eliminate any condition.

11:22 PM

 
Anonymous Anonymous told...

I noticed this issue is still listed on http://www.securityfocus.com/bid/16004

Starting with OE 5.0 we now escape the search inputs, error pages and removed oe-action.

6:42 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew