Cross site scripting and information disclosure in gobi/helma

Wednesday, 5 December 2007

Cross site scripting and information disclosure in gobi/helma

security advisory


Cross site scripting describes attacks that allow to insert malicious
html or javascript code via get or post forms. This can be used to steal
session cookies.
helma is a javascript-based application server, gobi is a cms
based on helma. It's used on some popular pages, e. g. the ORF.
The search-function can be used to inject javascript code.
It will cause an information disclosure about the system path of helma
if filled with invalid chars.

There's no vendor fix. All input strings in web applications should be
escaped properly and error messages containing paths should be suppressed
on live installations.
Vendor has been contacted 2007-04-12 and hasn't answered yet.

Sample injection URLs:<script>alert(1)</script><script>alert(1)</script>"><script>alert(1)</script>

Sample information disclosure URLs:""

CVE Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-3693 to this issue. This is a candidate for inclusion in
the CVE list (, which standardizes names for
security problems.

Credits and copyright:
This vulnerability was discovered by Hanno Boeck of
It's licensed under the creative commons attribution license:

Hanno Boeck, 2007-07-12,

Share this content:
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.