[
https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michele Orru resolved OFBIZ-2194.
---------------------------------
Resolution: Fixed
Confirmed fixed in rev. 742352
> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
> Key: OFBIZ-2194
> URL: https://issues.apache.org/jira/browse/OFBIZ-2194
> Project: OFBiz
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Michele Orru
> Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to
> the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our
> request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST
> /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS
> HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5)
> Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer:
> https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1;
> deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin;
> OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin;
> warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
> <ul id="left-links">
> <li id="header-bar-login"><a
> href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
> <li id="header-bar-contactus"><a
> href="/ecommerce/control/contactus">Contact Us</a></li>
> <li id="header-bar-main"><a
> href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1";>Main</a></li>
> </ul>
> <ul id="right-links">
> <!-- NOTE: these are in reverse order because they are stacked right
> to left instead of left to right -->
> <li id="header-bar-viewprofile"><a
> href="/ecommerce/control/viewprofile">Profile</a></li>
> <li id="header-bar-ListQuotes"><a
> href="/ecommerce/control/ListQuotes">Quotes</a></li>
> <li id="header-bar-ListRequests"><a
> href="/ecommerce/control/ListRequests">Requests</a></li>
> <li id="header-bar-editShoppingList"><a
> href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1";>Shopping Lists</a></li>
> <li id="header-bar-orderhistory"><a
> href="/ecommerce/control/orderhistory">Order History</a></li>
> </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page
> that will be rendered after the successful login will containt an hidden
> parameter with our password, that can be easily grabbed thanks to XSS that
> are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5)
> Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1;
> deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin;
> OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin;
> warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio;
> ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
> <div class="screenlet-header">
> <div class="boxhead">Mini-Poll Poll</div>
> </div>
> <div class="screenlet-body">
> <form method="post"
> action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1";
> style="margin: 0;">
>
> <input type="hidden" name="PASSWORD" value="euronymous666"/>
> <input type="hidden" name="USERNAME" value="euronymous"/>
> <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele OrrĂ¹
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
