Cross site scripting and information disclosure in gobi/helma security advisory References: http://gobi.helma.org/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3693 Description: Cross site scripting describes attacks that allow to insert malicious html or javascript code via get or post forms. This can be used to steal session cookies. helma is a javascript-based application server, gobi is a cms based on helma. It's used on some popular pages, e. g. the ORF. The search-function can be used to inject javascript code. It will cause an information disclosure about the system path of helma if filled with invalid chars. Workaround/Fix: There's no vendor fix. All input strings in web applications should be escaped properly and error messages containing paths should be suppressed on live installations. Vendor has been contacted 2007-04-12 and hasn't answered yet. Sample injection URLs: http://gobi.helma.org/search/?q= http://dev.helma.org/search/?q= http://tv.orf.at/search?keyword="> Sample information disclosure URLs: http://gobi.helma.org/search/?q=" http://dev.helma.org/search/?q=" CVE Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-3693 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright: This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting, http://www.schokokeks.org It's licensed under the creative commons attribution license: http://creativecommons.org/licenses/by/3.0/ Hanno Boeck, 2007-07-12, http://www.hboeck.de