[
https://issues.apache.org/jira/browse/OFBIZ-12584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17498634#comment-17498634
]
ASF subversion and git services commented on OFBIZ-12584:
---------------------------------------------------------
Commit 06006f1666b2a81efcde4ec49d330c5fe1197e9f in ofbiz-framework's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=06006f1 ]
Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite
(OFBIZ-12584)
Adds <<",","+",',','+'>> to deniedWebShellTokens as an obviously non satisfying
(because images may contain those strings, I checked) temporary solution before
looking at Freemarker::WhitelistMemberAccessPolicy as suggested by Matei
Thanks to Matei "Mal" Badanoiu for reporting this post-auth vulnerabily
> Stored XSS in webappPath parameter from content/control/EditWebSite
> -------------------------------------------------------------------
>
> Key: OFBIZ-12584
> URL: https://issues.apache.org/jira/browse/OFBIZ-12584
> Project: OFBiz
> Issue Type: Sub-task
> Components: content, framework/entity
> Affects Versions: 18.12.05
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.06, 22.01.01
>
>
> A user with rights to modify and/or create websites may insert malicious HTML
> elements in
> the “webappPath” parameter from content/control/EditWebSite resulting in XSS.
> In order to trigger the XSS a victim needs to navigate to main page of the
> modified website (eg webpos or ecommerce) and interact with the malicious
> HTML elements (eg trigger the “onmouseover” event by navigating with the
> mouse over the “form” and/or “a” tags).
> Thanks to Matei "Mal" Badanoiu for reporting this post-auth vulnerabily
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
