[
https://issues.apache.org/jira/browse/OFBIZ-12584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17498636#comment-17498636
]
ASF subversion and git services commented on OFBIZ-12584:
---------------------------------------------------------
Commit d45795b9163ab315725a6722b7bf720d7142db44 in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=d45795b ]
Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite
(OFBIZ-12584)
Adds <<",","+",',','+'>> to deniedWebShellTokens as an obviously non satisfying
(because images may contain those strings, I checked) temporary solution before
looking at Freemarker::WhitelistMemberAccessPolicy as suggested by Matei
Thanks to Matei "Mal" Badanoiu for reporting this post-auth vulnerabily
> Stored XSS in webappPath parameter from content/control/EditWebSite
> -------------------------------------------------------------------
>
> Key: OFBIZ-12584
> URL: https://issues.apache.org/jira/browse/OFBIZ-12584
> Project: OFBiz
> Issue Type: Sub-task
> Components: content, framework/entity
> Affects Versions: 18.12.05
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.06, 22.01.01
>
>
> A user with rights to modify and/or create websites may insert malicious HTML
> elements in
> the “webappPath” parameter from content/control/EditWebSite resulting in XSS.
> In order to trigger the XSS a victim needs to navigate to main page of the
> modified website (eg webpos or ecommerce) and interact with the malicious
> HTML elements (eg trigger the “onmouseover” event by navigating with the
> mouse over the “form” and/or “a” tags).
> Thanks to Matei "Mal" Badanoiu for reporting this post-auth vulnerabily
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
