[
http://issues.apache.org/jira/browse/OFBIZ-260?page=comments#action_12436365 ]
Leon Torres commented on OFBIZ-260:
-----------------------------------
The attack would have to be extremely sophisticated and social: Imagine that
the popup is inserted into some description field. When displayed in a text
area, it gets executed. (I tried <script>alert("XSS")</script>, it worked.)
Now imagine that the popup is designed to look like the ofbiz login screen. An
administrator would type in the username and password, which then gets sent to
some remote site via a URL call in javascript. The window closes and the
administrator wonders what happened.
So a combination of phishing techniques, careful scripting, a careless user,
and a compromised account that can edit a textarea is sufficient to cause a
vulnerability.
> Cross Site Scripting Vulnerability (XSS)
> ----------------------------------------
>
> Key: OFBIZ-260
> URL: http://issues.apache.org/jira/browse/OFBIZ-260
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Marco Risaliti
>
> It's a copy of http://jira.undersunconsulting.com/browse/OFBIZ-559 from
> Olivier Lietz.
> ===========================================================
> *Very* simple test:
> /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>
> Other components beside ecommerce are also affected.
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
