[
https://issues.apache.org/jira/browse/OFBIZ-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12733892#action_12733892
]
David E. Jones commented on OFBIZ-2747:
---------------------------------------
Which version/revision of OFBiz did you test? What was the actual URL the
request went to and what data was submitted?
If you're reporting this based on the general testing a few years ago, and this
is not a newer issue, then this has already been thoroughly fixed. For more
details search for "XSS" here in Jira and also on the OFBiz dev mailing list.
There are a number of Jira issues, and dozens of messages (including some with
very detailed discussions of the problem and solution).
Please looks into this and comment about whether or not this is still an issue.
If it is an issue we need a list of steps to reproduce, because if you try this
in general right now you'll see that the HTML is either not accepted, or that
the script and other elements are filtered out (depending on if the field you
enter text into has HTML not allowed or safe HTML allowed). Also, we need to
know exactly which output screen is not encoding the HTML output because all of
that should too, except cases where it is explicitly allowed because it is
expected that HTML will be coming from the database (like managed content).
> Security : The remote web server is prone to cross-site scripting attacks.
> ---------------------------------------------------------------------------
>
> Key: OFBIZ-2747
> URL: https://issues.apache.org/jira/browse/OFBIZ-2747
> Project: OFBiz
> Issue Type: Bug
> Components: specialpurpose/ecommerce
> Affects Versions: SVN trunk
> Reporter: Alexandre Mazari
> Priority: Critical
>
> The pollbox seems to be subjet to request argument injection, without any
> strip of html tags (ex : <script>).
> Nessus scan log :
> Web Server Generic XSS
> Synopsis :
> The remote web server is prone to cross-site scripting attacks.
> Description :
> The remote host is running a web server that fails to adequately
> sanitize request strings of malicious JavaScript. By leveraging this
> issue, an attacker may be able to cause arbitrary HTML and script code
> to be executed in a user's browser within the security context of the
> affected site.
> See also :
> http://en.wikipedia.org/wiki/Cross-site_scripting
> Solution :
> Contact the vendor for a patch or upgrade.
> Risk factor :
> Medium / CVSS Base Score : 4.3
> (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
> Plugin output :
> The request string used to detect this flaw was :
> /?<script>cross_site_scripting.nasl</script>
> The output was :
> HTTP/1.1 200 OK
> Server: Apache-Coyote/1.1
> X-Powered-By: JSP/2.1
> Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/
> Content-Type: text/html;charset=UTF-8
> Transfer-Encoding: chunked
> Date: Tue, 21 Jul 2009 21:31:19 GMT
> [...]
> <h3>Mouse Hand Poll</h3>
> <div class="screenlet-body">
> <form method="post" action="/control/minipoll/main" style="margin: 0;">
> <input type="hidden" name="<script>cross_site_scripting.nasl</script>"
> value=""/>
> <input type="hidden" name="surveyId" value="1004"/>
> <table width="100%" border="0" cellpadding="2" cellspacing="0">
> [...]
> CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681
> BID : 5305, 7344, 7353, 8037, 14473, 17408
> Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314
> Nessus ID : 10815
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
