[jira] Created: (OFBIZ-2747) Security : The remote web server is prone to cross-site scripting attacks.
Locked
[jira] Created: (OFBIZ-2747) Security : The remote web server is prone to cross-site scripting attacks.
 
|
Security : The remote web server is prone to cross-site scripting attacks.
--------------------------------------------------------------------------- Key: OFBIZ-2747 URL: https://issues.apache.org/jira/browse/OFBIZ-2747 Project: OFBiz Issue Type: Bug Components: specialpurpose/ecommerce Affects Versions: SVN trunk Reporter: Alexandre Mazari Priority: Critical The pollbox seems to be subjet to request argument injection, without any strip of html tags (ex : <script>). Nessus scan log : Web Server Generic XSS Synopsis : The remote web server is prone to cross-site scripting attacks. Description : The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. See also : http://en.wikipedia.org/wiki/Cross-site_scripting Solution : Contact the vendor for a patch or upgrade. Risk factor : Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) Plugin output : The request string used to detect this flaw was : /?<script>cross_site_scripting.nasl</script> The output was : HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: JSP/2.1 Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Date: Tue, 21 Jul 2009 21:31:19 GMT [...] <h3>Mouse Hand Poll</h3> <div class="screenlet-body"> <form method="post" action="/control/minipoll/main" style="margin: 0;"> <input type="hidden" name="<script>cross_site_scripting.nasl</script>" value=""/> <input type="hidden" name="surveyId" value="1004"/> <table width="100%" border="0" cellpadding="2" cellspacing="0"> [...] CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 BID : 5305, 7344, 7353, 8037, 14473, 17408 Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 Nessus ID : 10815 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-2747) Security : The remote web server is prone to cross-site scripting attacks.
|
|
[ https://issues.apache.org/jira/browse/OFBIZ-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12733892#action_12733892 ] David E. Jones commented on OFBIZ-2747: --------------------------------------- Which version/revision of OFBiz did you test? What was the actual URL the request went to and what data was submitted? If you're reporting this based on the general testing a few years ago, and this is not a newer issue, then this has already been thoroughly fixed. For more details search for "XSS" here in Jira and also on the OFBiz dev mailing list. There are a number of Jira issues, and dozens of messages (including some with very detailed discussions of the problem and solution). Please looks into this and comment about whether or not this is still an issue. If it is an issue we need a list of steps to reproduce, because if you try this in general right now you'll see that the HTML is either not accepted, or that the script and other elements are filtered out (depending on if the field you enter text into has HTML not allowed or safe HTML allowed). Also, we need to know exactly which output screen is not encoding the HTML output because all of that should too, except cases where it is explicitly allowed because it is expected that HTML will be coming from the database (like managed content). > Security : The remote web server is prone to cross-site scripting attacks. > --------------------------------------------------------------------------- > > Key: OFBIZ-2747 > URL: https://issues.apache.org/jira/browse/OFBIZ-2747 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: Alexandre Mazari > Priority: Critical > > The pollbox seems to be subjet to request argument injection, without any strip of html tags (ex : <script>). > Nessus scan log : > Web Server Generic XSS > Synopsis : > The remote web server is prone to cross-site scripting attacks. > Description : > The remote host is running a web server that fails to adequately > sanitize request strings of malicious JavaScript. By leveraging this > issue, an attacker may be able to cause arbitrary HTML and script code > to be executed in a user's browser within the security context of the > affected site. > See also : > http://en.wikipedia.org/wiki/Cross-site_scripting > Solution : > Contact the vendor for a patch or upgrade. > Risk factor : > Medium / CVSS Base Score : 4.3 > (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) > Plugin output : > The request string used to detect this flaw was : > /?<script>cross_site_scripting.nasl</script> > The output was : > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > X-Powered-By: JSP/2.1 > Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/ > Content-Type: text/html;charset=UTF-8 > Transfer-Encoding: chunked > Date: Tue, 21 Jul 2009 21:31:19 GMT > [...] > <h3>Mouse Hand Poll</h3> > <div class="screenlet-body"> > <form method="post" action="/control/minipoll/main" style="margin: 0;"> > <input type="hidden" name="<script>cross_site_scripting.nasl</script>" value=""/> > <input type="hidden" name="surveyId" value="1004"/> > <table width="100%" border="0" cellpadding="2" cellspacing="0"> > [...] > CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 > BID : 5305, 7344, 7353, 8037, 14473, 17408 > Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 > Nessus ID : 10815 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-2747) Security : The remote web server is prone to cross-site scripting attacks.
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12733901#action_12733901 ] Scott Gray commented on OFBIZ-2747: ----------------------------------- This seems valid: http://demo.ofbiz.org/ecommerce/control/main/?"<script>alert('test');</script> At first I thought it was because it is a parameter name rather than a value, but this also works: http://demo.ofbiz.org/ecommerce/control/main/?"<script>alert('test');</script>="<script>alert('test');</script> Produces: <input type="hidden" name=""<script>alert('test');</script>" value=""<script>alert('test');</script>"/> > Security : The remote web server is prone to cross-site scripting attacks. > --------------------------------------------------------------------------- > > Key: OFBIZ-2747 > URL: https://issues.apache.org/jira/browse/OFBIZ-2747 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: Alexandre Mazari > Priority: Critical > > The pollbox seems to be subjet to request argument injection, without any strip of html tags (ex : <script>). > Nessus scan log : > Web Server Generic XSS > Synopsis : > The remote web server is prone to cross-site scripting attacks. > Description : > The remote host is running a web server that fails to adequately > sanitize request strings of malicious JavaScript. By leveraging this > issue, an attacker may be able to cause arbitrary HTML and script code > to be executed in a user's browser within the security context of the > affected site. > See also : > http://en.wikipedia.org/wiki/Cross-site_scripting > Solution : > Contact the vendor for a patch or upgrade. > Risk factor : > Medium / CVSS Base Score : 4.3 > (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) > Plugin output : > The request string used to detect this flaw was : > /?<script>cross_site_scripting.nasl</script> > The output was : > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > X-Powered-By: JSP/2.1 > Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/ > Content-Type: text/html;charset=UTF-8 > Transfer-Encoding: chunked > Date: Tue, 21 Jul 2009 21:31:19 GMT > [...] > <h3>Mouse Hand Poll</h3> > <div class="screenlet-body"> > <form method="post" action="/control/minipoll/main" style="margin: 0;"> > <input type="hidden" name="<script>cross_site_scripting.nasl</script>" value=""/> > <input type="hidden" name="surveyId" value="1004"/> > <table width="100%" border="0" cellpadding="2" cellspacing="0"> > [...] > CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 > BID : 5305, 7344, 7353, 8037, 14473, 17408 > Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 > Nessus ID : 10815 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-2747) Security : The remote web server is prone to cross-site scripting attacks.
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12733929#action_12733929 ] Alexandre Mazari commented on OFBIZ-2747: ----------------------------------------- Hi David, As stated above, i am running latest SVN trunk as of 22 july. The URL provided by Scott Gray suffers from this issue. In most, if no all browsers, the injected code isn't interpreted but browser vendors may differ in their parsing rules. Try this for some fun : http://demo.ofbiz.org/ecommerce/control/main/?%22/%3E%3Cscript%3Ealert%28%27Oops%27%29;%3C/script%3E%3Cinput on Firefox 3.5, the script is interpreted. Webkit seems to check request parameters for javascript "Refused to execute a JavaScript script. Source code of script found within request." > Security : The remote web server is prone to cross-site scripting attacks. > --------------------------------------------------------------------------- > > Key: OFBIZ-2747 > URL: https://issues.apache.org/jira/browse/OFBIZ-2747 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: Alexandre Mazari > Priority: Critical > > The pollbox seems to be subjet to request argument injection, without any strip of html tags (ex : <script>). > Nessus scan log : > Web Server Generic XSS > Synopsis : > The remote web server is prone to cross-site scripting attacks. > Description : > The remote host is running a web server that fails to adequately > sanitize request strings of malicious JavaScript. By leveraging this > issue, an attacker may be able to cause arbitrary HTML and script code > to be executed in a user's browser within the security context of the > affected site. > See also : > http://en.wikipedia.org/wiki/Cross-site_scripting > Solution : > Contact the vendor for a patch or upgrade. > Risk factor : > Medium / CVSS Base Score : 4.3 > (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) > Plugin output : > The request string used to detect this flaw was : > /?<script>cross_site_scripting.nasl</script> > The output was : > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > X-Powered-By: JSP/2.1 > Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/ > Content-Type: text/html;charset=UTF-8 > Transfer-Encoding: chunked > Date: Tue, 21 Jul 2009 21:31:19 GMT > [...] > <h3>Mouse Hand Poll</h3> > <div class="screenlet-body"> > <form method="post" action="/control/minipoll/main" style="margin: 0;"> > <input type="hidden" name="<script>cross_site_scripting.nasl</script>" value=""/> > <input type="hidden" name="surveyId" value="1004"/> > <table width="100%" border="0" cellpadding="2" cellspacing="0"> > [...] > CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 > BID : 5305, 7344, 7353, 8037, 14473, 17408 > Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 > Nessus ID : 10815 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-2747) Security : The remote web server is prone to cross-site scripting attacks.
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12733936#action_12733936 ] David E. Jones commented on OFBIZ-2747: --------------------------------------- Thanks Scott and Alexandre, that additional detail helps. The weird thing is: why are arbitrary parameters from the URL being put into the output HTML... will have to look into that. > Security : The remote web server is prone to cross-site scripting attacks. > --------------------------------------------------------------------------- > > Key: OFBIZ-2747 > URL: https://issues.apache.org/jira/browse/OFBIZ-2747 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: Alexandre Mazari > Priority: Critical > > The pollbox seems to be subjet to request argument injection, without any strip of html tags (ex : <script>). > Nessus scan log : > Web Server Generic XSS > Synopsis : > The remote web server is prone to cross-site scripting attacks. > Description : > The remote host is running a web server that fails to adequately > sanitize request strings of malicious JavaScript. By leveraging this > issue, an attacker may be able to cause arbitrary HTML and script code > to be executed in a user's browser within the security context of the > affected site. > See also : > http://en.wikipedia.org/wiki/Cross-site_scripting > Solution : > Contact the vendor for a patch or upgrade. > Risk factor : > Medium / CVSS Base Score : 4.3 > (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) > Plugin output : > The request string used to detect this flaw was : > /?<script>cross_site_scripting.nasl</script> > The output was : > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > X-Powered-By: JSP/2.1 > Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/ > Content-Type: text/html;charset=UTF-8 > Transfer-Encoding: chunked > Date: Tue, 21 Jul 2009 21:31:19 GMT > [...] > <h3>Mouse Hand Poll</h3> > <div class="screenlet-body"> > <form method="post" action="/control/minipoll/main" style="margin: 0;"> > <input type="hidden" name="<script>cross_site_scripting.nasl</script>" value=""/> > <input type="hidden" name="surveyId" value="1004"/> > <table width="100%" border="0" cellpadding="2" cellspacing="0"> > [...] > CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 > BID : 5305, 7344, 7353, 8037, 14473, 17408 > Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 > Nessus ID : 10815 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-2747) Security : The remote web server is prone to cross-site scripting attacks.
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12733943#action_12733943 ] Scott Gray commented on OFBIZ-2747: ----------------------------------- ProductStoreWorker.getRandomSurveyWrapper(...) passes the parameter map through as "passThru" parameters to the ProductStoreSurveyWrapper which are then rendered in genericsurvey.ftl I'm not sure of the reason for doing so, but we could just stop doing that and then wait for a bug report for whatever functionality was lost and deal with that less critical problem in a security conscious manner. > Security : The remote web server is prone to cross-site scripting attacks. > --------------------------------------------------------------------------- > > Key: OFBIZ-2747 > URL: https://issues.apache.org/jira/browse/OFBIZ-2747 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: Alexandre Mazari > Priority: Critical > > The pollbox seems to be subjet to request argument injection, without any strip of html tags (ex : <script>). > Nessus scan log : > Web Server Generic XSS > Synopsis : > The remote web server is prone to cross-site scripting attacks. > Description : > The remote host is running a web server that fails to adequately > sanitize request strings of malicious JavaScript. By leveraging this > issue, an attacker may be able to cause arbitrary HTML and script code > to be executed in a user's browser within the security context of the > affected site. > See also : > http://en.wikipedia.org/wiki/Cross-site_scripting > Solution : > Contact the vendor for a patch or upgrade. > Risk factor : > Medium / CVSS Base Score : 4.3 > (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) > Plugin output : > The request string used to detect this flaw was : > /?<script>cross_site_scripting.nasl</script> > The output was : > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > X-Powered-By: JSP/2.1 > Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/ > Content-Type: text/html;charset=UTF-8 > Transfer-Encoding: chunked > Date: Tue, 21 Jul 2009 21:31:19 GMT > [...] > <h3>Mouse Hand Poll</h3> > <div class="screenlet-body"> > <form method="post" action="/control/minipoll/main" style="margin: 0;"> > <input type="hidden" name="<script>cross_site_scripting.nasl</script>" value=""/> > <input type="hidden" name="surveyId" value="1004"/> > <table width="100%" border="0" cellpadding="2" cellspacing="0"> > [...] > CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 > BID : 5305, 7344, 7353, 8037, 14473, 17408 > Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 > Nessus ID : 10815 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Assigned: (OFBIZ-2747) Security : The remote web server is prone to cross-site scripting attacks.
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Scott Gray reassigned OFBIZ-2747: --------------------------------- Assignee: Scott Gray > Security : The remote web server is prone to cross-site scripting attacks. > --------------------------------------------------------------------------- > > Key: OFBIZ-2747 > URL: https://issues.apache.org/jira/browse/OFBIZ-2747 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: Alexandre Mazari > Assignee: Scott Gray > Priority: Critical > Fix For: Release Branch 9.04, SVN trunk > > > The pollbox seems to be subjet to request argument injection, without any strip of html tags (ex : <script>). > Nessus scan log : > Web Server Generic XSS > Synopsis : > The remote web server is prone to cross-site scripting attacks. > Description : > The remote host is running a web server that fails to adequately > sanitize request strings of malicious JavaScript. By leveraging this > issue, an attacker may be able to cause arbitrary HTML and script code > to be executed in a user's browser within the security context of the > affected site. > See also : > http://en.wikipedia.org/wiki/Cross-site_scripting > Solution : > Contact the vendor for a patch or upgrade. > Risk factor : > Medium / CVSS Base Score : 4.3 > (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) > Plugin output : > The request string used to detect this flaw was : > /?<script>cross_site_scripting.nasl</script> > The output was : > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > X-Powered-By: JSP/2.1 > Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/ > Content-Type: text/html;charset=UTF-8 > Transfer-Encoding: chunked > Date: Tue, 21 Jul 2009 21:31:19 GMT > [...] > <h3>Mouse Hand Poll</h3> > <div class="screenlet-body"> > <form method="post" action="/control/minipoll/main" style="margin: 0;"> > <input type="hidden" name="<script>cross_site_scripting.nasl</script>" value=""/> > <input type="hidden" name="surveyId" value="1004"/> > <table width="100%" border="0" cellpadding="2" cellspacing="0"> > [...] > CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 > BID : 5305, 7344, 7353, 8037, 14473, 17408 > Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 > Nessus ID : 10815 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Closed: (OFBIZ-2747) Security : The remote web server is prone to cross-site scripting attacks.
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Scott Gray closed OFBIZ-2747. ----------------------------- Resolution: Fixed Fix Version/s: SVN trunk Release Branch 9.04 Thanks for the report Alexandre, I've commented out the offending code in trunk r826196 and v9.04 r826201 > Security : The remote web server is prone to cross-site scripting attacks. > --------------------------------------------------------------------------- > > Key: OFBIZ-2747 > URL: https://issues.apache.org/jira/browse/OFBIZ-2747 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: Alexandre Mazari > Assignee: Scott Gray > Priority: Critical > Fix For: Release Branch 9.04, SVN trunk > > > The pollbox seems to be subjet to request argument injection, without any strip of html tags (ex : <script>). > Nessus scan log : > Web Server Generic XSS > Synopsis : > The remote web server is prone to cross-site scripting attacks. > Description : > The remote host is running a web server that fails to adequately > sanitize request strings of malicious JavaScript. By leveraging this > issue, an attacker may be able to cause arbitrary HTML and script code > to be executed in a user's browser within the security context of the > affected site. > See also : > http://en.wikipedia.org/wiki/Cross-site_scripting > Solution : > Contact the vendor for a patch or upgrade. > Risk factor : > Medium / CVSS Base Score : 4.3 > (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) > Plugin output : > The request string used to detect this flaw was : > /?<script>cross_site_scripting.nasl</script> > The output was : > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > X-Powered-By: JSP/2.1 > Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/ > Content-Type: text/html;charset=UTF-8 > Transfer-Encoding: chunked > Date: Tue, 21 Jul 2009 21:31:19 GMT > [...] > <h3>Mouse Hand Poll</h3> > <div class="screenlet-body"> > <form method="post" action="/control/minipoll/main" style="margin: 0;"> > <input type="hidden" name="<script>cross_site_scripting.nasl</script>" value=""/> > <input type="hidden" name="surveyId" value="1004"/> > <table width="100%" border="0" cellpadding="2" cellspacing="0"> > [...] > CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 > BID : 5305, 7344, 7353, 8037, 14473, 17408 > Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 > Nessus ID : 10815 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Reopened: (OFBIZ-2747) Security : The remote web server is prone to cross-site scripting attacks.
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Heath reopened OFBIZ-2747: ------------------------------- This fix breaks code very badly. Please revert it. Namely, inside ecommerce, there are chained surveys. If you attempt to purchase a gift certificate, or activate a financial account, then it will fail after you fill out the survey form. > Security : The remote web server is prone to cross-site scripting attacks. > --------------------------------------------------------------------------- > > Key: OFBIZ-2747 > URL: https://issues.apache.org/jira/browse/OFBIZ-2747 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: Alexandre Mazari > Assignee: Scott Gray > Priority: Critical > Fix For: Release Branch 9.04, SVN trunk > > > The pollbox seems to be subjet to request argument injection, without any strip of html tags (ex : <script>). > Nessus scan log : > Web Server Generic XSS > Synopsis : > The remote web server is prone to cross-site scripting attacks. > Description : > The remote host is running a web server that fails to adequately > sanitize request strings of malicious JavaScript. By leveraging this > issue, an attacker may be able to cause arbitrary HTML and script code > to be executed in a user's browser within the security context of the > affected site. > See also : > http://en.wikipedia.org/wiki/Cross-site_scripting > Solution : > Contact the vendor for a patch or upgrade. > Risk factor : > Medium / CVSS Base Score : 4.3 > (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) > Plugin output : > The request string used to detect this flaw was : > /?<script>cross_site_scripting.nasl</script> > The output was : > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > X-Powered-By: JSP/2.1 > Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/ > Content-Type: text/html;charset=UTF-8 > Transfer-Encoding: chunked > Date: Tue, 21 Jul 2009 21:31:19 GMT > [...] > <h3>Mouse Hand Poll</h3> > <div class="screenlet-body"> > <form method="post" action="/control/minipoll/main" style="margin: 0;"> > <input type="hidden" name="<script>cross_site_scripting.nasl</script>" value=""/> > <input type="hidden" name="surveyId" value="1004"/> > <table width="100%" border="0" cellpadding="2" cellspacing="0"> > [...] > CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 > BID : 5305, 7344, 7353, 8037, 14473, 17408 > Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 > Nessus ID : 10815 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-2747) Security : The remote web server is prone to cross-site scripting attacks.
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12788427#action_12788427 ] Scott Gray commented on OFBIZ-2747: ----------------------------------- Replaced with a new fix in r889038, r889039 and r889040. I'll back port it to 9.04 shortly. > Security : The remote web server is prone to cross-site scripting attacks. > --------------------------------------------------------------------------- > > Key: OFBIZ-2747 > URL: https://issues.apache.org/jira/browse/OFBIZ-2747 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: Alexandre Mazari > Assignee: Scott Gray > Priority: Critical > Fix For: Release Branch 9.04, SVN trunk > > > The pollbox seems to be subjet to request argument injection, without any strip of html tags (ex : <script>). > Nessus scan log : > Web Server Generic XSS > Synopsis : > The remote web server is prone to cross-site scripting attacks. > Description : > The remote host is running a web server that fails to adequately > sanitize request strings of malicious JavaScript. By leveraging this > issue, an attacker may be able to cause arbitrary HTML and script code > to be executed in a user's browser within the security context of the > affected site. > See also : > http://en.wikipedia.org/wiki/Cross-site_scripting > Solution : > Contact the vendor for a patch or upgrade. > Risk factor : > Medium / CVSS Base Score : 4.3 > (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) > Plugin output : > The request string used to detect this flaw was : > /?<script>cross_site_scripting.nasl</script> > The output was : > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > X-Powered-By: JSP/2.1 > Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/ > Content-Type: text/html;charset=UTF-8 > Transfer-Encoding: chunked > Date: Tue, 21 Jul 2009 21:31:19 GMT > [...] > <h3>Mouse Hand Poll</h3> > <div class="screenlet-body"> > <form method="post" action="/control/minipoll/main" style="margin: 0;"> > <input type="hidden" name="<script>cross_site_scripting.nasl</script>" value=""/> > <input type="hidden" name="surveyId" value="1004"/> > <table width="100%" border="0" cellpadding="2" cellspacing="0"> > [...] > CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 > BID : 5305, 7344, 7353, 8037, 14473, 17408 > Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 > Nessus ID : 10815 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Closed: (OFBIZ-2747) Security : The remote web server is prone to cross-site scripting attacks.
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Scott Gray closed OFBIZ-2747. ----------------------------- Resolution: Fixed Fixed in v9.04 r889044, r889046 and r889050 > Security : The remote web server is prone to cross-site scripting attacks. > --------------------------------------------------------------------------- > > Key: OFBIZ-2747 > URL: https://issues.apache.org/jira/browse/OFBIZ-2747 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: Alexandre Mazari > Assignee: Scott Gray > Priority: Critical > Fix For: Release Branch 9.04, SVN trunk > > > The pollbox seems to be subjet to request argument injection, without any strip of html tags (ex : <script>). > Nessus scan log : > Web Server Generic XSS > Synopsis : > The remote web server is prone to cross-site scripting attacks. > Description : > The remote host is running a web server that fails to adequately > sanitize request strings of malicious JavaScript. By leveraging this > issue, an attacker may be able to cause arbitrary HTML and script code > to be executed in a user's browser within the security context of the > affected site. > See also : > http://en.wikipedia.org/wiki/Cross-site_scripting > Solution : > Contact the vendor for a patch or upgrade. > Risk factor : > Medium / CVSS Base Score : 4.3 > (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) > Plugin output : > The request string used to detect this flaw was : > /?<script>cross_site_scripting.nasl</script> > The output was : > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > X-Powered-By: JSP/2.1 > Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/ > Content-Type: text/html;charset=UTF-8 > Transfer-Encoding: chunked > Date: Tue, 21 Jul 2009 21:31:19 GMT > [...] > <h3>Mouse Hand Poll</h3> > <div class="screenlet-body"> > <form method="post" action="/control/minipoll/main" style="margin: 0;"> > <input type="hidden" name="<script>cross_site_scripting.nasl</script>" value=""/> > <input type="hidden" name="surveyId" value="1004"/> > <table width="100%" border="0" cellpadding="2" cellspacing="0"> > [...] > CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 > BID : 5305, 7344, 7353, 8037, 14473, 17408 > Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 > Nessus ID : 10815 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |