[
https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674406#action_12674406
]
David E. Jones commented on OFBIZ-2194:
---------------------------------------
Thanks for reporting this Michele.
Which revision of OFBiz are you testing this on?
This was a known problem (form fields ending up in the URL for post-login use,
including login form fields if you click on things in the right order) that was
fixed about two weeks ago as part of my rewriting some of the messy parts of
the RequestHandler (part of the ControlServlet) and the parameter handling for
post-login forwarding (which is now done as actual forwarding).
Could you test this with the latest trunk? The issue should be resolved...
> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
> Key: OFBIZ-2194
> URL: https://issues.apache.org/jira/browse/OFBIZ-2194
> Project: OFBiz
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Michele Orru
> Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to
> the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our
> request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST
> /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS
> HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5)
> Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer:
> https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1;
> deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin;
> OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin;
> warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
> <ul id="left-links">
> <li id="header-bar-login"><a
> href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
> <li id="header-bar-contactus"><a
> href="/ecommerce/control/contactus">Contact Us</a></li>
> <li id="header-bar-main"><a
> href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1";>Main</a></li>
> </ul>
> <ul id="right-links">
> <!-- NOTE: these are in reverse order because they are stacked right
> to left instead of left to right -->
> <li id="header-bar-viewprofile"><a
> href="/ecommerce/control/viewprofile">Profile</a></li>
> <li id="header-bar-ListQuotes"><a
> href="/ecommerce/control/ListQuotes">Quotes</a></li>
> <li id="header-bar-ListRequests"><a
> href="/ecommerce/control/ListRequests">Requests</a></li>
> <li id="header-bar-editShoppingList"><a
> href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1";>Shopping Lists</a></li>
> <li id="header-bar-orderhistory"><a
> href="/ecommerce/control/orderhistory">Order History</a></li>
> </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page
> that will be rendered after the successful login will containt an hidden
> parameter with our password, that can be easily grabbed thanks to XSS that
> are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5)
> Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1;
> deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin;
> OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin;
> warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio;
> ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
> <div class="screenlet-header">
> <div class="boxhead">Mini-Poll Poll</div>
> </div>
> <div class="screenlet-body">
> <form method="post"
> action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1";
> style="margin: 0;">
>
> <input type="hidden" name="PASSWORD" value="euronymous666"/>
> <input type="hidden" name="USERNAME" value="euronymous"/>
> <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele OrrĂ¹
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
