Password visible in URL query string & hidden parameter (pre/post auth)
-----------------------------------------------------------------------
Key: OFBIZ-2194
URL: https://issues.apache.org/jira/browse/OFBIZ-2194
Project: OFBiz
Issue Type: Bug
Components: ecommerce
Affects Versions: SVN trunk
Reporter: Michele Orru
Fix For: SVN trunk
When logging-in to the ecommerce application, if we send a POST request to the
login URI appositely wronging the user/passwd pair,
the application responds embedding in the HTML the link to which we sent our
request, plus USERNAME/PASSWORD parameters (with respective values):
--- REQUEST ---
POST
/ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS
HTTP/1.1
Host: localhost:8443
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5)
Gecko/2009010711 Gentoo Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1;
deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin;
OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin;
warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
--- RESPONSE ---
[...]
<div id="ecom-header-bar">
<ul id="left-links">
<li id="header-bar-login"><a
href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
<li id="header-bar-contactus"><a
href="/ecommerce/control/contactus">Contact Us</a></li>
<li id="header-bar-main"><a
href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1";>Main</a></li>
</ul>
<ul id="right-links">
<!-- NOTE: these are in reverse order because they are stacked right to
left instead of left to right -->
<li id="header-bar-viewprofile"><a
href="/ecommerce/control/viewprofile">Profile</a></li>
<li id="header-bar-ListQuotes"><a
href="/ecommerce/control/ListQuotes">Quotes</a></li>
<li id="header-bar-ListRequests"><a
href="/ecommerce/control/ListRequests">Requests</a></li>
<li id="header-bar-editShoppingList"><a
href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1";>Shopping Lists</a></li>
<li id="header-bar-orderhistory"><a
href="/ecommerce/control/orderhistory">Order History</a></li>
</ul>
</div>
[...]
Now, that's not son bad: basically is not an exploitable issue.
The serious point is that if we Log-in with valid credentials, the HTML page
that will be rendered after the successful login will containt an hidden
parameter with our password, that can be easily grabbed thanks to XSS that are
still present almost everywhere in the ecommerce application.
--- REQUEST ---
POST /ecommerce/control/login HTTP/1.1
Host: localhost:8443
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5)
Gecko/2009010711 Gentoo Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://localhost:8443/ecommerce/control/login
Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1;
deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin;
OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin;
warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio;
ecommerce.autoUserLoginId=euronymous
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
USERNAME=euronymous&PASSWORD=euronymous666
--- RESPONSE ---
[...]
<div class="screenlet">
<div class="screenlet-header">
<div class="boxhead">Mini-Poll Poll</div>
</div>
<div class="screenlet-body">
<form method="post"
action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1";
style="margin: 0;">
<input type="hidden" name="PASSWORD" value="euronymous666"/>
<input type="hidden" name="USERNAME" value="euronymous"/>
<input type="hidden" name="partyId" value="10010"/>
<input type="hidden" name="surveyId" value="1003"/>
[...]
Have fun
Michele OrrĂ¹
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
