XSS vulnerability in eCommerce/ordermgr
---------------------------------------
Key: OFBIZ-2121
URL: https://issues.apache.org/jira/browse/OFBIZ-2121
Project: OFBiz
Issue Type: Bug
Components: order
Affects Versions: SVN trunk
Reporter: Philipp Hoppen
Any HTML/Javascript that is placed within the fields "shipping_instructions" or
"gift_message" (possibly other fields too) when making a new order in
eCommerce is executed in the ordermgr module when the order is displayed. For
example, using this HTML code
<iframe
src="http://ofbiz.apache.org/";
style="position:absolute;
top:0;left:0; border:0px
#FFFFFF none;" name="myframe"
marginheight="0px"
marginwidth="0px" height="768"
width="1024"></iframe>
an iframe is displayed with the OFBiz project home page. Now suppose the iframe
actually displays a faked OFBiz login page or anything like this (the
possibilities are endless...).
Is there any reason why the FTL escape directives are not used (in this case in
orderheader.ftl) to encode content properly using for example something like
this:
<#escape x as x?html>
First name: ${firstName}
Last name: ${lastName}
Maiden name: ${maidenName}
</#escape>
(See http://freemarker.org/docs/ref_directive_escape.html for details)
I know there were some other Jira issues about similar problems, but I didn't
see any current effort to fix these things.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
