Software used by banks with vulnerabilities …. that’s bad

OpenCMS is an open source content management system used worldwide to create and maintain a browser-based work environment, asset management, user management, work-flow management, a WYSIWYG editor, internationalization support, content versioning etc… and it is used by LGT Bank of Lichtenstein, BP South Africa, and UNICEF Netherlands.

I found this think pretty interesting because it involves something used worldwide and it is used by banks.

Some of the vulnerabilities are cross-site scripting but this is pretty common with websites and Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007. So there is nothing to worry about it’s normal for other people.

Another vulnerability is that the cookies are issued without the HTTPOnly Flag which means that the cookies can be accessed by other persons and modifications can be added to those cookies, with the HTTPOnly Flag (FireSheep can do some tricks with that)

And the last one is password field with auto-complete.

Imagine someone has access to your computer and just types your username and then the browser does the rest of the job for the unwanted person, he will log in with your credentials.

I think these are some pretty serious vulnerabilities, pretty common for webpages but still OpenCMS was released in 1999 and since then some updates should have resolved this things mainly because there are pretty known vulnerabilities.

http://seclists.org/bugtraq/2011/Mar/275

Advertisements
This entry was posted in IT Security, Week 14. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s