Moderate severityNVD Advisory· Published Jul 31, 2006· Updated Apr 16, 2026

CVE-2006-3935

Description

system/workplace/views/admin/admin-main.jsp in Alkacon OpenCms before 6.2.2 does not restrict access to administrator functions, which allows remote authenticated users to (1) send broadcast messages to all users (/workplace/broadcast), (2) list all users (/accounts/users), (3) add webusers (/accounts/webusers/new), (4) upload database import and export files (/database/importhttp), (5) upload arbitrary program modules (/modules/modules_import), and (6) read the log file (/workplace/logfileview) by setting the appropriate value for the path parameter in a direct request to admin-main.jsp.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.opencms:opencms-coreMaven	< 6.2.2	6.2.2

Affected products

Alkacon/Opencms6 versions
cpe:2.3:a:alkacon:opencms:6.0.0:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:alkacon:opencms:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:alkacon:opencms:6.2.1:*:*:*:*:*:*:*

Patches

8f1c04c5a16f

fixed issue 1190: multiple access control and input validation vulnerabilities

https://github.com/alkacon/opencms-coreaZahnerJul 20, 2006via ghsa

commit

18 files changed · +125 −66

history.txt+3 −2 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/history.txt,v $
- * Date   : $Date: 2006/07/20 09:53:57 $
- * Version: $Revision: 1.732 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.733 $
  *
  * This file is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -32,6 +32,7 @@ OpenCms 6.2.2 - July 21, 2006
 * Fixed issue #1131: Problems with CmsFileUtile#readFully() (thanks to the contribution of Jason Trump)
 * Fixed issue #1188: Wrong resource link in contenttools module
 * Fixed issue #1163: NULL_PROPERTY now uses equals() to check for identity, also has a name set to avoid NPE
+* Fixed issue #1190: Multiple access control and input validation vulnerabilities
 
 
 OpenCms 6.2.1 - May 2, 2006

modules/org.opencms.workplace.tools.modules/resources/manifest.xml+13 −13 modified

@@ -17,7 +17,7 @@
 <p>This module contains administration tools for managing the OpenCms modules.</p>
 <p><i>(c) 2006 by Alkacon Software GmbH (http://www.alkacon.com).</i></p>
 ]]></description>
-		<version>1.2.0</version>
+		<version>1.2.1</version>
 		<authorname><![CDATA[Alkacon Software GmbH]]></authorname>
 		<authoremail><![CDATA[info@alkacon.com]]></authoremail>
 		<datecreated>Mon, 27 Jun 2005 08:00:00 GMT</datecreated>
@@ -259,7 +259,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>
@@ -313,7 +313,7 @@
 				</property>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>NavPos</name>
@@ -409,7 +409,7 @@
 				</property>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>NavPos</name>
@@ -455,7 +455,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>
@@ -523,7 +523,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>NavPos</name>
@@ -569,7 +569,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>
@@ -623,7 +623,7 @@
 				</property>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>NavPos</name>
@@ -669,7 +669,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>
@@ -723,7 +723,7 @@
 				</property>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>NavPos</name>
@@ -769,7 +769,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>
@@ -815,7 +815,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>
@@ -861,7 +861,7 @@
 			<properties>
 				<property>
 					<name>admintoolhandler-class</name>
-					<value><![CDATA[org.opencms.workplace.tools.CmsDefaultToolHandler]]></value>
+					<value><![CDATA[org.opencms.workplace.tools.modules.CmsModulesToolHandler]]></value>
 				</property>
 				<property>
 					<name>export</name>

src-modules/org/opencms/workplace/administration/CmsAdminMenu.java+8 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/administration/CmsAdminMenu.java,v $
- * Date   : $Date: 2006/03/27 14:52:20 $
- * Version: $Revision: 1.13 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.14 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -52,7 +52,7 @@
  * 
  * @author Michael Moossen  
  * 
- * @version $Revision: 1.13 $ 
+ * @version $Revision: 1.14 $ 
  * 
  * @since 6.0.0 
  */
@@ -72,7 +72,11 @@ public class CmsAdminMenu extends CmsToolDialog {
     public CmsAdminMenu(CmsJspActionElement jsp) {
 
         super(jsp);
-        initAdminTool();
+        try { 
+        	initAdminTool();
+        } catch (Exception e) {
+            // ignore, only a role violation, not important for left side menu
+        }
         installMenu();
     }

src-modules/org/opencms/workplace/tools/accounts/CmsAccountsToolHandler.java+4 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/accounts/CmsAccountsToolHandler.java,v $
- * Date   : $Date: 2006/03/27 14:52:49 $
- * Version: $Revision: 1.8 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.9 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -43,7 +43,7 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.8 $ 
+ * @version $Revision: 1.9 $ 
  * 
  * @since 6.0.0 
  */
@@ -66,7 +66,7 @@ public class CmsAccountsToolHandler extends A_CmsToolHandler {
      */
     public boolean isEnabled(CmsObject cms) {
 
-        return true;
+        return cms.hasRole(CmsRole.ACCOUNT_MANAGER);
     }
 
     /**

src-modules/org/opencms/workplace/tools/database/CmsExportToolHandler.java+4 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/database/Attic/CmsExportToolHandler.java,v $
- * Date   : $Date: 2005/06/25 14:28:53 $
- * Version: $Revision: 1.1 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.2 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -41,7 +41,7 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.1 $ 
+ * @version $Revision: 1.2 $ 
  * 
  * @since 6.0.0 
  */
@@ -52,7 +52,7 @@ public class CmsExportToolHandler extends A_CmsToolHandler {
      */
     public boolean isEnabled(CmsObject cms) {
 
-        return true;
+        return cms.hasRole(CmsRole.EXPORT_DATABASE);
     }
 
     /**

src-modules/org/opencms/workplace/tools/database/CmsImportToolHandler.java+11 −3 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/database/Attic/CmsImportToolHandler.java,v $
- * Date   : $Date: 2005/06/26 10:56:54 $
- * Version: $Revision: 1.2 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.3 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -41,12 +41,20 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.2 $ 
+ * @version $Revision: 1.3 $ 
  * 
  * @since 6.0.0 
  */
 public class CmsImportToolHandler extends CmsOfflineToolHandler {
 
+    /**
+     * @see org.opencms.workplace.tools.I_CmsToolHandler#isEnabled(org.opencms.file.CmsObject)
+     */
+    public boolean isEnabled(CmsObject cms) {
+
+        return cms.hasRole(CmsRole.IMPORT_DATABASE) && !cms.getRequestContext().currentProject().isOnlineProject();
+    }
+    
     /**
      * @see org.opencms.workplace.tools.A_CmsToolHandler#isVisible(org.opencms.file.CmsObject)
      */

src-modules/org/opencms/workplace/tools/modules/CmsModulesToolHandler.java+4 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/modules/CmsModulesToolHandler.java,v $
- * Date   : $Date: 2005/06/23 11:11:38 $
- * Version: $Revision: 1.5 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.6 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -41,7 +41,7 @@
  * 
  * @author Michael Emmerich 
  * 
- * @version $Revision: 1.5 $ 
+ * @version $Revision: 1.6 $ 
  * 
  * @since 6.0.0 
  */
@@ -52,7 +52,7 @@ public class CmsModulesToolHandler extends A_CmsToolHandler {
      */
     public boolean isEnabled(CmsObject cms) {
 
-        return true;
+        return cms.hasRole(CmsRole.MODULE_MANAGER);
 
     }

src-modules/org/opencms/workplace/tools/workplace/broadcast/CmsMessageInfo.java+6 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/workplace/broadcast/CmsMessageInfo.java,v $
- * Date   : $Date: 2005/06/30 10:13:28 $
- * Version: $Revision: 1.9 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.10 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -52,7 +52,7 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.9 $ 
+ * @version $Revision: 1.10 $ 
  * 
  * @since 6.0.0 
  */
@@ -235,14 +235,16 @@ public void setTo(String to) {
     }
 
     /**
-     * Throws a runtime exception if the string is null or empty.<p>
+     * Throws a runtime exception if the string is null, empty or contains JavaScript.<p>
      * 
      * @param string the string to check
      */
     private void checkString(String string) {
 
         if (CmsStringUtil.isEmptyOrWhitespaceOnly(string)) {
             throw new CmsIllegalArgumentException(Messages.get().container(Messages.ERR_EMPTY_STRING_0));
+        } else if (string.toLowerCase().indexOf("<script") != -1) {
+            throw new CmsIllegalArgumentException(Messages.get().container(Messages.ERR_STRING_CONTAINS_SCRIPT_0));
         }
     }

src-modules/org/opencms/workplace/tools/workplace/broadcast/Messages.java+6 −3 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/workplace/broadcast/Messages.java,v $
- * Date   : $Date: 2006/03/27 14:52:49 $
- * Version: $Revision: 1.9 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.10 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -39,7 +39,7 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.9 $ 
+ * @version $Revision: 1.10 $ 
  * 
  * @since 6.0.0 
  */
@@ -57,6 +57,9 @@ public final class Messages extends A_CmsMessageBundle {
     /** Message contant for key in the resource bundle. */
     public static final String ERR_SEND_MESSAGE_0 = "ERR_SEND_MESSAGE_0";
 
+    /** Message contant for key in the resource bundle. */
+    public static final String ERR_STRING_CONTAINS_SCRIPT_0 = "ERR_STRING_CONTAINS_SCRIPT_0";
+
     /** Message contant for key in the resource bundle. */
     public static final String GUI_EXCLUDED_USERS_WARNING_0 = "GUI_EXCLUDED_USERS_WARNING_0";

src-modules/org/opencms/workplace/tools/workplace/broadcast/messages.properties+1 −0 modified

@@ -1,6 +1,7 @@
 ERR_SEND_EMAIL_0								=Could not redirect to the edit email page.
 ERR_SEND_MESSAGE_0								=Could not redirect to the edit message page.
 ERR_EMPTY_STRING_0                              =This string should not be empty.
+ERR_STRING_CONTAINS_SCRIPT_0                    =This string should not contain any JavaScript.
 ERR_NO_SELECTED_USER_WITH_EMAIL_0               =There is no selected user with a valid email address.
 GUI_EXCLUDED_USERS_WARNING_0                    =The following users have been filtered because they do not have an associated valid email address:

src-modules/org/opencms/workplace/tools/workplace/CmsWorkplaceToolHandler.java+4 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/workplace/CmsWorkplaceToolHandler.java,v $
- * Date   : $Date: 2005/06/25 14:28:53 $
- * Version: $Revision: 1.1 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.2 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -41,7 +41,7 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.1 $ 
+ * @version $Revision: 1.2 $ 
  * 
  * @since 6.0.0 
  */
@@ -52,7 +52,7 @@ public class CmsWorkplaceToolHandler extends A_CmsToolHandler {
      */
     public boolean isEnabled(CmsObject cms) {
 
-        return true;
+        return cms.hasRole(CmsRole.WORKPLACE_MANAGER);
     }
 
     /**

src-modules/org/opencms/workplace/tools/workplace/rfsfile/CmsRfsFileDownloadServlet.java+19 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src-modules/org/opencms/workplace/tools/workplace/rfsfile/Attic/CmsRfsFileDownloadServlet.java,v $
- * Date   : $Date: 2006/03/27 14:52:59 $
- * Version: $Revision: 1.11 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.12 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -31,7 +31,11 @@
 
 package org.opencms.workplace.tools.workplace.rfsfile;
 
+import org.opencms.file.CmsObject;
 import org.opencms.flex.CmsFlexController;
+import org.opencms.main.CmsException;
+import org.opencms.security.CmsRole;
+import org.opencms.security.CmsRoleViolationException;
 import org.opencms.util.CmsStringUtil;
 
 import java.io.BufferedInputStream;
@@ -55,7 +59,7 @@
  * 
  * @author  Achim Westermann 
  * 
- * @version $Revision: 1.11 $ 
+ * @version $Revision: 1.12 $ 
  * 
  * @since 6.0.0 
  */
@@ -118,12 +122,23 @@ public void doPost(HttpServletRequest req, HttpServletResponse res) throws IOExc
             throw new ServletException(Messages.get().getBundle().key(Messages.ERR_DOWNLOAD_SERVLET_FILE_ARG_0));
         } else {
 
+            CmsFlexController controller = CmsFlexController.getController(req);
+            try {
+                // check if the current user is allowed to download files
+                controller.getCmsObject().checkRole(CmsRole.WORKPLACE_MANAGER);
+            } catch (CmsRoleViolationException e) {
+                // user is not allowed, throw exception
+                CmsObject cms = controller.getCmsObject();
+                CmsException exc = CmsRole.WORKPLACE_MANAGER.createRoleViolationException(cms.getRequestContext());
+                throw new ServletException(exc.getLocalizedMessage(cms.getRequestContext().getLocale()));
+            }
+            
             File downloadFile = new File(fileToFind);
             res.setHeader("Content-Disposition", new StringBuffer("attachment; filename=\"").append(
                 downloadFile.getName()).append("\"").toString());
             res.setContentLength((int)downloadFile.length());
 
-            CmsFlexController controller = CmsFlexController.getController(req);
+            
             res = controller.getTopResponse();
             res.setContentType("application/octet-stream");

src/org/opencms/workplace/CmsWorkplace.java+16 −7 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src/org/opencms/workplace/CmsWorkplace.java,v $
- * Date   : $Date: 2006/04/28 15:20:52 $
- * Version: $Revision: 1.157 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.158 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -44,6 +44,7 @@
 import org.opencms.i18n.CmsMessages;
 import org.opencms.i18n.CmsMultiMessages;
 import org.opencms.jsp.CmsJspActionElement;
+import org.opencms.lock.CmsLock;
 import org.opencms.main.CmsBroadcast;
 import org.opencms.main.CmsException;
 import org.opencms.main.CmsLog;
@@ -88,7 +89,7 @@
  *
  * @author  Alexander Kandzior 
  * 
- * @version $Revision: 1.157 $ 
+ * @version $Revision: 1.158 $ 
  * 
  * @since 6.0.0 
  */
@@ -1168,14 +1169,22 @@ public void checkLock(String resource) throws CmsException {
      */
     public void checkLock(String resource, int mode) throws CmsException {
 
+        CmsResource res = getCms().readResource(resource, CmsResourceFilter.ALL);
+        CmsLock lock = getCms().getLock(res);
         if (OpenCms.getWorkplaceManager().autoLockResources()) {
-            // Autolock is enabled, check the lock state of the resource
-            CmsResource res = getCms().readResource(resource, CmsResourceFilter.ALL);
-            if (getCms().getLock(res).isNullLock()) {
+            // autolock is enabled, check the lock state of the resource
+            if (lock.isNullLock()) {
                 // resource is not locked, lock it automatically
                 getCms().lockResource(resource, mode);
+            } else if (!lock.getUserId().equals(getCms().getRequestContext().currentUser().getId())) {
+                throw new CmsException(Messages.get().container(Messages.ERR_WORKPLACE_LOCK_RESOURCE_1, resource));
             }
-        }
+        } else {
+            if (lock.isNullLock()
+                || (!lock.isNullLock() && !lock.getUserId().equals(getCms().getRequestContext().currentUser().getId()))) {
+                throw new CmsException(Messages.get().container(Messages.ERR_WORKPLACE_LOCK_RESOURCE_1, resource));
+        	}
+    	}
     }
 
     /**

src/org/opencms/workplace/Messages.java+6 −3 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src/org/opencms/workplace/Messages.java,v $
- * Date   : $Date: 2006/03/28 13:32:13 $
- * Version: $Revision: 1.23 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.24 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -39,7 +39,7 @@
  * 
  * @author Jan Baudisch 
  * 
- * @version $Revision: 1.23 $ 
+ * @version $Revision: 1.24 $ 
  * 
  * @since 6.0.0 
  */
@@ -51,6 +51,9 @@ public final class Messages extends A_CmsMessageBundle {
     /** Message constant for key in the resource bundle. */
     public static final String ERR_WORKPLACE_DIALOG_0 = "ERR_WORKPLACE_DIALOG_0";
 
+    /** Message constant for key in the resource bundle. */
+    public static final String ERR_WORKPLACE_LOCK_RESOURCE_1 = "ERR_WORKPLACE_LOCK_RESOURCE_1";
+
     /** Message constant for key in the resource bundle. */
     public static final String GUI_BUTTON_EXIT_0 = "GUI_BUTTON_EXIT_0";

src/org/opencms/workplace/messages.properties+1 −0 modified

@@ -1,5 +1,6 @@
 ERR_INITIALIZE_WORKPLACE_0                	=Failed to initialize the workplace.
 ERR_WORKPLACE_DIALOG_0						=The workplace dialog caused an error.
+ERR_WORKPLACE_LOCK_RESOURCE_1				=The resource "{0}" is not locked by the current user.
 
 INIT_ADD_DIALOG_HANDLER_2                 	=. Adding dialog handler: {0} - {1}
 INIT_ADD_EXPORT_POINT_2                   	=. Adding export point  : {0} --> {1}

src/org/opencms/workplace/tools/CmsToolDialog.java+11 −4 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src/org/opencms/workplace/tools/CmsToolDialog.java,v $
- * Date   : $Date: 2006/03/27 14:52:51 $
- * Version: $Revision: 1.33 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.34 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -33,6 +33,7 @@
 
 import org.opencms.jsp.CmsJspActionElement;
 import org.opencms.main.OpenCms;
+import org.opencms.security.CmsRoleViolationException;
 import org.opencms.util.CmsStringUtil;
 import org.opencms.workplace.CmsDialog;
 import org.opencms.workplace.CmsWorkplace;
@@ -49,7 +50,7 @@
  * 
  * @author Michael Moossen  
  * 
- * @version $Revision: 1.33 $ 
+ * @version $Revision: 1.34 $ 
  * 
  * @since 6.0.0 
  */
@@ -310,8 +311,9 @@ public String iconsBlockAreaStart(String headline) {
      * Initializes the admin tool main view.<p>
      * 
      * @return the new modified params array
+     * @throws CmsRoleViolationException in case the dialog is opened by a user without the necessary privileges
      */
-    public Map initAdminTool() {
+    public Map initAdminTool() throws CmsRoleViolationException {
 
         Map params = new HashMap(getParameterMap());
         // initialize
@@ -338,6 +340,11 @@ public Map initAdminTool() {
         } catch (Exception e) {
             // ignore
         }
+
+        if (!getToolManager().getCurrentTool(this).getHandler().isEnabled(getCms())) {
+            throw new CmsRoleViolationException(Messages.get().container(Messages.ERR_ADMIN_INSUFFICIENT_RIGHTS_0));
+        }
+
         return params;
     }

src/org/opencms/workplace/tools/Messages.java+6 −3 modified

@@ -1,7 +1,7 @@
 /*
  * File   : $Source: /alkacon/cvs/opencms/src/org/opencms/workplace/tools/Messages.java,v $
- * Date   : $Date: 2006/03/27 14:52:51 $
- * Version: $Revision: 1.11 $
+ * Date   : $Date: 2006/07/20 10:14:23 $
+ * Version: $Revision: 1.12 $
  *
  * This library is part of OpenCms -
  * the Open Source Content Mananagement System
@@ -39,12 +39,15 @@
  * 
  * @author Michael Moossen 
  * 
- * @version $Revision: 1.11 $ 
+ * @version $Revision: 1.12 $ 
  * 
  * @since 6.0.0 
  */
 public final class Messages extends A_CmsMessageBundle {
 
+    /** Message contant for key in the resource bundle. */
+    public static final String ERR_ADMIN_INSUFFICIENT_RIGHTS_0 = "ERR_ADMIN_INSUFFICIENT_RIGHTS_0";
+
     /** Message contant for key in the resource bundle. */
     public static final String GUI_HISTORY_0 = "GUI_HISTORY_0";

src/org/opencms/workplace/tools/messages.properties+2 −0 modified

@@ -1,3 +1,5 @@
+ERR_ADMIN_INSUFFICIENT_RIGHTS_0	   =You don't have the permission to view this dialog.
+
 GUI_ADMIN_VIEW_LOADING_0            =Please wait.<br>Loading ...
 GUI_ADMIN_VIEW_UPLEVEL_0            =Up

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

o0o.nu/~meder/OpenCMS_multiple_vulnerabilities.txtnvdPatch
secunia.com/advisories/21193nvdPatchVendor Advisory
www.opencms.org/export/download/opencms/opencms_6.2.2_src.zipnvdPatchWEB
www.opencms.org/opencms/en/shownews.htmlnvdPatch
github.com/advisories/GHSA-v3c3-qr6m-8m7mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2006-3935ghsaADVISORY
exchange.xforce.ibmcloud.com/vulnerabilities/27996nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/28003nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/28010nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/28026nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/28031nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/28036nvdWEB
github.com/alkacon/opencms-core/commit/8f1c04c5a16fe8d0bdbd13b65bf2a7b5cf100ff9ghsaWEB
securityreason.com/securityalert/1302nvd
www.securityfocus.com/archive/1/441182/100/0/threadednvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000