Moderate severityNVD Advisory· Published Jul 31, 2006· Updated Apr 16, 2026

CVE-2006-3934

Description

Absolute path traversal vulnerability in downloadTrigger.jsp in Alkacon OpenCms before 6.2.2 allows remote authenticated users to download arbitrary files via an absolute pathname in the filePath parameter.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.opencms:opencms-coreMaven	< 6.2.2	6.2.2

Affected products

Alkacon/Opencms6 versions
cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*range: <=6.2.1
- cpe:2.3:a:alkacon:opencms:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.2:*:*:*:*:*:*:*

Patches

8f1c04c5a16f

fixed issue 1190: multiple access control and input validation vulnerabilities

https://github.com/alkacon/opencms-coreaZahnerJul 20, 2006via ghsa

commit

18 files changed · +125 −66

history.txt+3 −2 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/history.txt,v $
- * Date   : $Date: 2006/07/20 09:53:57 $
- * Version: $Revision: 1.732 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.733 $
  *
  * This file is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -32,6 +32,7 @@ OpenCms 6.2.2 - July 21, 2006
 * Fixed issue #1131: Problems with CmsFileUtile#readFully() (thanks to the contribution of Jason Trump)
 * Fixed issue #1188: Wrong resource link in contenttools module
 * Fixed issue #1163: NULL_PROPERTY now uses equals() to check for identity, also has a name set to avoid NPE
+* Fixed issue #1190: Multiple access control and input validation vulnerabilities
 
 
 OpenCms 6.2.1 - May 2, 2006

modules/org.opencms.workplace.tools.modules/resources/manifest.xml+13 −13 modified

@@ -17,7 +17,7 @@
 <p>This module contains administration tools for managing the OpenCms modules.</p>
 <p><i>(c) 2006 by Alkacon Software GmbH (http://www.alkacon.com).</i></p>
 ]]></description>
-		<version>1.2.0</version>
+		<version>1.2.1</version>
 		<authorname><![CDATA[Alkacon Software GmbH]]></authorname>
 		<authoremail><![CDATA[info@alkacon.com]]></authoremail>
 		<datecreated>Mon, 27 Jun 2005 08:00:00 GMT</datecreated>
@@ -259,7 +259,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>
@@ -313,7 +313,7 @@
 				</property>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>NavPos</name>
@@ -409,7 +409,7 @@
 				</property>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>NavPos</name>
@@ -455,7 +455,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>
@@ -523,7 +523,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>NavPos</name>
@@ -569,7 +569,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>
@@ -623,7 +623,7 @@
 				</property>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>NavPos</name>
@@ -669,7 +669,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>
@@ -723,7 +723,7 @@
 				</property>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>NavPos</name>
@@ -769,7 +769,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>
@@ -815,7 +815,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>
@@ -861,7 +861,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>

src-modules/org/opencms/workplace/administration/CmsAdminMenu.java+8 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/administration/CmsAdminMenu.java,v $
- * Date   : $Date: 2006/03/27 14:52:20 $
- * Version: $Revision: 1.13 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.14 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -52,7 +52,7 @@
  * 
  * @author Michael Moossen  
  * 
- * @version $Revision: 1.13 $ 
+ * @version $Revision: 1.14 $ 
  * 
  * @since 6.0.0 
  */
@@ -72,7 +72,11 @@ public class CmsAdminMenu extends CmsToolDialog {
     public CmsAdminMenu(CmsJspActionElement jsp) {
 
         super(jsp);
-        initAdminTool();
+        try { 
+        	initAdminTool();
+        } catch (Exception e) {
+            // ignore, only a role violation, not important for left side menu
+        }
         installMenu();
     }

src-modules/org/opencms/workplace/tools/accounts/CmsAccountsToolHandler.java+4 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/accounts/CmsAccountsToolHandler.java,v $
- * Date   : $Date: 2006/03/27 14:52:49 $
- * Version: $Revision: 1.8 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.9 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -43,7 +43,7 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.8 $ 
+ * @version $Revision: 1.9 $ 
  * 
  * @since 6.0.0 
  */
@@ -66,7 +66,7 @@ public class CmsAccountsToolHandler extends A_CmsToolHandler {
      */
     public boolean isEnabled(CmsObject cms) {
 
-        return true;
+        return cms.hasRole(CmsRole.ACCOUNT_MANAGER);
     }
 
     /**

src-modules/org/opencms/workplace/tools/database/CmsExportToolHandler.java+4 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/database/Attic/CmsExportToolHandler.java,v $
- * Date   : $Date: 2005/06/25 14:28:53 $
- * Version: $Revision: 1.1 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.2 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -41,7 +41,7 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.1 $ 
+ * @version $Revision: 1.2 $ 
  * 
  * @since 6.0.0 
  */
@@ -52,7 +52,7 @@ public class CmsExportToolHandler extends A_CmsToolHandler {
      */
     public boolean isEnabled(CmsObject cms) {
 
-        return true;
+        return cms.hasRole(CmsRole.EXPORT_DATABASE);
     }
 
     /**

src-modules/org/opencms/workplace/tools/database/CmsImportToolHandler.java+11 −3 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/database/Attic/CmsImportToolHandler.java,v $
- * Date   : $Date: 2005/06/26 10:56:54 $
- * Version: $Revision: 1.2 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.3 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -41,12 +41,20 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.2 $ 
+ * @version $Revision: 1.3 $ 
  * 
  * @since 6.0.0 
  */
 public class CmsImportToolHandler extends CmsOfflineToolHandler {
 
+    /**
+     * @see org.opencms.workplace.tools.I_CmsToolHandler#isEnabled(org.opencms.file.CmsObject)
+     */
+    public boolean isEnabled(CmsObject cms) {
+
+        return cms.hasRole(CmsRole.IMPORT_DATABASE) && !cms.getRequestContext().currentProject().isOnlineProject();
+    }
+    
     /**
      * @see org.opencms.workplace.tools.A_CmsToolHandler#isVisible(org.opencms.file.CmsObject)
      */

src-modules/org/opencms/workplace/tools/modules/CmsModulesToolHandler.java+4 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/modules/CmsModulesToolHandler.java,v $
- * Date   : $Date: 2005/06/23 11:11:38 $
- * Version: $Revision: 1.5 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.6 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -41,7 +41,7 @@
  * 
  * @author Michael Emmerich 
  * 
- * @version $Revision: 1.5 $ 
+ * @version $Revision: 1.6 $ 
  * 
  * @since 6.0.0 
  */
@@ -52,7 +52,7 @@ public class CmsModulesToolHandler extends A_CmsToolHandler {
      */
     public boolean isEnabled(CmsObject cms) {
 
-        return true;
+        return cms.hasRole(CmsRole.MODULE_MANAGER);
 
     }

src-modules/org/opencms/workplace/tools/workplace/broadcast/CmsMessageInfo.java+6 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/workplace/broadcast/CmsMessageInfo.java,v $
- * Date   : $Date: 2005/06/30 10:13:28 $
- * Version: $Revision: 1.9 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.10 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -52,7 +52,7 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.9 $ 
+ * @version $Revision: 1.10 $ 
  * 
  * @since 6.0.0 
  */
@@ -235,14 +235,16 @@ public void setTo(String to) {
     }
 
     /**
-     * Throws a runtime exception if the string is null or empty.<p>
+     * Throws a runtime exception if the string is null, empty or contains JavaScript.<p>
      * 
      * @param string the string to check
      */
     private void checkString(String string) {
 
         if (CmsStringUtil.isEmptyOrWhitespaceOnly(string)) {
             throw new CmsIllegalArgumentException(Messages.get().container(Messages.ERR_EMPTY_STRING_0));
+        } else if (string.toLowerCase().indexOf("<script") != -1) {
+            throw new CmsIllegalArgumentException(Messages.get().container(Messages.ERR_STRING_CONTAINS_SCRIPT_0));
         }
     }

src-modules/org/opencms/workplace/tools/workplace/broadcast/Messages.java+6 −3 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/workplace/broadcast/Messages.java,v $
- * Date   : $Date: 2006/03/27 14:52:49 $
- * Version: $Revision: 1.9 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.10 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -39,7 +39,7 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.9 $ 
+ * @version $Revision: 1.10 $ 
  * 
  * @since 6.0.0 
  */
@@ -57,6 +57,9 @@ public final class Messages extends A_CmsMessageBundle {
     /** Message contant for key in the resource bundle. */
     public static final String ERR_SEND_MESSAGE_0 = "ERR_SEND_MESSAGE_0";
 
+    /** Message contant for key in the resource bundle. */
+    public static final String ERR_STRING_CONTAINS_SCRIPT_0 = "ERR_STRING_CONTAINS_SCRIPT_0";
+
     /** Message contant for key in the resource bundle. */
     public static final String GUI_EXCLUDED_USERS_WARNING_0 = "GUI_EXCLUDED_USERS_WARNING_0";

src-modules/org/opencms/workplace/tools/workplace/broadcast/messages.properties+1 −0 modified

@@ -1,6 +1,7 @@
 ERR_SEND_EMAIL_0								=Could not redirect to the edit email page.
 ERR_SEND_MESSAGE_0								=Could not redirect to the edit message page.
 ERR_EMPTY_STRING_0                              =This string should not be empty.
+ERR_STRING_CONTAINS_SCRIPT_0                    =This string should not contain any JavaScript.
 ERR_NO_SELECTED_USER_WITH_EMAIL_0               =There is no selected user with a valid email address.
 GUI_EXCLUDED_USERS_WARNING_0                    =The following users have been filtered because they do not have an associated valid email address:

src-modules/org/opencms/workplace/tools/workplace/CmsWorkplaceToolHandler.java+4 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/workplace/CmsWorkplaceToolHandler.java,v $
- * Date   : $Date: 2005/06/25 14:28:53 $
- * Version: $Revision: 1.1 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.2 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -41,7 +41,7 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.1 $ 
+ * @version $Revision: 1.2 $ 
  * 
  * @since 6.0.0 
  */
@@ -52,7 +52,7 @@ public class CmsWorkplaceToolHandler extends A_CmsToolHandler {
      */
     public boolean isEnabled(CmsObject cms) {
 
-        return true;
+        return cms.hasRole(CmsRole.WORKPLACE_MANAGER);
     }
 
     /**

src-modules/org/opencms/workplace/tools/workplace/rfsfile/CmsRfsFileDownloadServlet.java+19 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/workplace/rfsfile/Attic/CmsRfsFileDownloadServlet.java,v $
- * Date   : $Date: 2006/03/27 14:52:59 $
- * Version: $Revision: 1.11 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.12 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -31,7 +31,11 @@
 
 package org.opencms.workplace.tools.workplace.rfsfile;
 
+import org.opencms.file.CmsObject;
 import org.opencms.flex.CmsFlexController;
+import org.opencms.main.CmsException;
+import org.opencms.security.CmsRole;
+import org.opencms.security.CmsRoleViolationException;
 import org.opencms.util.CmsStringUtil;
 
 import java.io.BufferedInputStream;
@@ -55,7 +59,7 @@
  * 
  * @author  Achim Westermann 
  * 
- * @version $Revision: 1.11 $ 
+ * @version $Revision: 1.12 $ 
  * 
  * @since 6.0.0 
  */
@@ -118,12 +122,23 @@ public void doPost(HttpServletRequest req, HttpServletResponse res) throws IOExc
             throw new ServletException(Messages.get().getBundle().key(Messages.ERR_DOWNLOAD_SERVLET_FILE_ARG_0));
         } else {
 
+            CmsFlexController controller = CmsFlexController.getController(req);
+            try {
+                // check if the current user is allowed to download files
+                controller.getCmsObject().checkRole(CmsRole.WORKPLACE_MANAGER);
+            } catch (CmsRoleViolationException e) {
+                // user is not allowed, throw exception
+                CmsObject cms = controller.getCmsObject();
+                CmsException exc = CmsRole.WORKPLACE_MANAGER.createRoleViolationException(cms.getRequestContext());
+                throw new ServletException(exc.getLocalizedMessage(cms.getRequestContext().getLocale()));
+            }
+            
             File downloadFile = new File(fileToFind);
             res.setHeader("Content-Disposition", new StringBuffer("attachment; filename=\"").append(
                 downloadFile.getName()).append("\"").toString());
             res.setContentLength((int)downloadFile.length());
 
-            CmsFlexController controller = CmsFlexController.getController(req);
+            
             res = controller.getTopResponse();
             res.setContentType("application/octet-stream");

src/org/opencms/workplace/CmsWorkplace.java+16 −7 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src/org/opencms/workplace/CmsWorkplace.java,v $
- * Date   : $Date: 2006/04/28 15:20:52 $
- * Version: $Revision: 1.157 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.158 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -44,6 +44,7 @@
 import org.opencms.i18n.CmsMessages;
 import org.opencms.i18n.CmsMultiMessages;
 import org.opencms.jsp.CmsJspActionElement;
+import org.opencms.lock.CmsLock;
 import org.opencms.main.CmsBroadcast;
 import org.opencms.main.CmsException;
 import org.opencms.main.CmsLog;
@@ -88,7 +89,7 @@
  *
  * @author  Alexander Kandzior 
  * 
- * @version $Revision: 1.157 $ 
+ * @version $Revision: 1.158 $ 
  * 
  * @since 6.0.0 
  */
@@ -1168,14 +1169,22 @@ public void checkLock(String resource) throws CmsException {
      */
     public void checkLock(String resource, int mode) throws CmsException {
 
+        CmsResource res = getCms().readResource(resource, CmsResourceFilter.ALL);
+        CmsLock lock = getCms().getLock(res);
         if (OpenCms.getWorkplaceManager().autoLockResources()) {
-            // Autolock is enabled, check the lock state of the resource
-            CmsResource res = getCms().readResource(resource, CmsResourceFilter.ALL);
-            if (getCms().getLock(res).isNullLock()) {
+            // autolock is enabled, check the lock state of the resource
+            if (lock.isNullLock()) {
                 // resource is not locked, lock it automatically
                 getCms().lockResource(resource, mode);
+            } else if (!lock.getUserId().equals(getCms().getRequestContext().currentUser().getId())) {
+                throw new CmsException(Messages.get().container(Messages.ERR_WORKPLACE_LOCK_RESOURCE_1, resource));
             }
-        }
+        } else {
+            if (lock.isNullLock()
+                || (!lock.isNullLock() && !lock.getUserId().equals(getCms().getRequestContext().currentUser().getId()))) {
+                throw new CmsException(Messages.get().container(Messages.ERR_WORKPLACE_LOCK_RESOURCE_1, resource));
+        	}
+    	}
     }
 
     /**

src/org/opencms/workplace/Messages.java+6 −3 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src/org/opencms/workplace/Messages.java,v $
- * Date   : $Date: 2006/03/28 13:32:13 $
- * Version: $Revision: 1.23 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.24 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -39,7 +39,7 @@
  * 
  * @author Jan Baudisch 
  * 
- * @version $Revision: 1.23 $ 
+ * @version $Revision: 1.24 $ 
  * 
  * @since 6.0.0 
  */
@@ -51,6 +51,9 @@ public final class Messages extends A_CmsMessageBundle {
     /** Message constant for key in the resource bundle. */
     public static final String ERR_WORKPLACE_DIALOG_0 = "ERR_WORKPLACE_DIALOG_0";
 
+    /** Message constant for key in the resource bundle. */
+    public static final String ERR_WORKPLACE_LOCK_RESOURCE_1 = "ERR_WORKPLACE_LOCK_RESOURCE_1";
+
     /** Message constant for key in the resource bundle. */
     public static final String GUI_BUTTON_EXIT_0 = "GUI_BUTTON_EXIT_0";

src/org/opencms/workplace/messages.properties+1 −0 modified

@@ -1,5 +1,6 @@
 ERR_INITIALIZE_WORKPLACE_0                	=Failed to initialize the workplace.
 ERR_WORKPLACE_DIALOG_0						=The workplace dialog caused an error.
+ERR_WORKPLACE_LOCK_RESOURCE_1				=The resource "{0}" is not locked by the current user.
 
 INIT_ADD_DIALOG_HANDLER_2                 	=. Adding dialog handler: {0} - {1}
 INIT_ADD_EXPORT_POINT_2                   	=. Adding export point  : {0} --> {1}

src/org/opencms/workplace/tools/CmsToolDialog.java+11 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src/org/opencms/workplace/tools/CmsToolDialog.java,v $
- * Date   : $Date: 2006/03/27 14:52:51 $
- * Version: $Revision: 1.33 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.34 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -33,6 +33,7 @@
 
 import org.opencms.jsp.CmsJspActionElement;
 import org.opencms.main.OpenCms;
+import org.opencms.security.CmsRoleViolationException;
 import org.opencms.util.CmsStringUtil;
 import org.opencms.workplace.CmsDialog;
 import org.opencms.workplace.CmsWorkplace;
@@ -49,7 +50,7 @@
  * 
  * @author Michael Moossen  
  * 
- * @version $Revision: 1.33 $ 
+ * @version $Revision: 1.34 $ 
  * 
  * @since 6.0.0 
  */
@@ -310,8 +311,9 @@ public String iconsBlockAreaStart(String headline) {
      * Initializes the admin tool main view.<p>
      * 
      * @return the new modified params array
+     * @throws CmsRoleViolationException in case the dialog is opened by a user without the necessary privileges
      */
-    public Map initAdminTool() {
+    public Map initAdminTool() throws CmsRoleViolationException {
 
         Map params = new HashMap(getParameterMap());
         // initialize
@@ -338,6 +340,11 @@ public Map initAdminTool() {
         } catch (Exception e) {
             // ignore
         }
+
+        if (!getToolManager().getCurrentTool(this).getHandler().isEnabled(getCms())) {
+            throw new CmsRoleViolationException(Messages.get().container(Messages.ERR_ADMIN_INSUFFICIENT_RIGHTS_0));
+        }
+
         return params;
     }

src/org/opencms/workplace/tools/Messages.java+6 −3 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src/org/opencms/workplace/tools/Messages.java,v $
- * Date   : $Date: 2006/03/27 14:52:51 $
- * Version: $Revision: 1.11 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.12 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -39,12 +39,15 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.11 $ 
+ * @version $Revision: 1.12 $ 
  * 
  * @since 6.0.0 
  */
 public final class Messages extends A_CmsMessageBundle {
 
+    /** Message contant for key in the resource bundle. */
+    public static final String ERR_ADMIN_INSUFFICIENT_RIGHTS_0 = "ERR_ADMIN_INSUFFICIENT_RIGHTS_0";
+
     /** Message contant for key in the resource bundle. */
     public static final String GUI_HISTORY_0 = "GUI_HISTORY_0";

src/org/opencms/workplace/tools/messages.properties+2 −0 modified

@@ -1,3 +1,5 @@
+ERR_ADMIN_INSUFFICIENT_RIGHTS_0	   =You don't have the permission to view this dialog.
+
 GUI_ADMIN_VIEW_LOADING_0            =Please wait.<br>Loading ...
 GUI_ADMIN_VIEW_UPLEVEL_0            =Up

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.opencms.org/export/download/opencms/opencms_6.2.2_src.zipnvdPatchWEB
www.opencms.org/opencms/en/shownews.htmlnvdPatchWEB
o0o.nu/~meder/OpenCMS_multiple_vulnerabilities.txtnvdExploitPatch
secunia.com/advisories/21193nvdExploitPatchVendor Advisory
github.com/advisories/GHSA-64hc-4jx3-62jpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2006-3934ghsaADVISORY
securityreason.com/securityalert/1302nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/28000nvdWEB
github.com/alkacon/opencms-core/commit/8f1c04c5a16fe8d0bdbd13b65bf2a7b5cf100ff9ghsaWEB
www.securityfocus.com/archive/1/441182/100/0/threadednvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000