subject:"\[jira\] \[Comment Edited\] \(OFBIZ\-6669\) Possible static XSS issue with Content"

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

2015-11-10 Thread Jacques Le Roux (JIRA)


[ 
https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14998606#comment-14998606
 ] 

Jacques Le Roux edited comment on OFBIZ-6669 at 11/10/15 1:52 PM:
--

The commit at revision: 1713634 in trunk  completes and finalises this work

Before closing, to safely backport in R14.12, I will need to backport the 
improvement from OFBIZ-6701 before. Else it will be insanely complicated. I 
will ask agreement on dev ML...


was (Author: jacques.le.roux):
The commit at revision: 1713634 in trunk  completes and finalises this work

Before closint, to safely backport in R14.12, I will need to backport the 
improvement from OFBIZ-6701 before. Else it will be insanely complicated. I 
will ask agreement on dev ML...

> Possible static XSS issue with Content
> --
>
> Key: OFBIZ-6669
> URL: https://issues.apache.org/jira/browse/OFBIZ-6669
> Project: OFBiz
>  Issue Type: Bug
>  Components: content, order, party, product, workeffort
>Affects Versions: Release Branch 12.04, Release Branch 13.07, Release 
> Branch 14.12, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
> Fix For: 14.12.01, Upcoming Branch
>
> Attachments: OFBIZ-6669.patch, OFBIZ-6669.patch
>
>
> I found a possible XSS attack through *ContentWrapper.java and ContentWorker 
> itself.
> Note that in supported releases it's hard to exploit, it's a Stored XSS 
> https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you 
> need 1st to somehow inject exploiting code in the DB.
> Issues in *ContentWrapper.java have already been fixed by changing the 
> ContentWrapper interface
> from
> {code}
> public interface ContentWrapper {
> public StringUtil.StringWrapper get(String contentTypeId);
> }
> {code}
> to
> {code}
> public interface ContentWrapper {
> public StringUtil.StringWrapper get(String contentTypeId, String 
> encoderType) {
> }
> {code}
> And changing the Category, Party, Product, ProductPromo, ProductConfigItem 
> and WorkEffort ContentWrapperS accordingly. This means to use 2 types of 
> encoderTypes: "html" and "url".
> The "html"  encoderType will be used for all ProductContentTypes but those 
> who contain URL in their ContentTypeIdS (actually end with, "_URL") which 
> will use "url" encoderType.
> It concerns not only the get() method but also methods like 
> getPartyContentAsText(), getProductContentAsText(), etc.
> It seems a big change but it's straightforward. It's now complete after 
> following commits in revisions (I hope I did not miss to report):
> trunk 1705329 1705417 1705427 1705532 1706159 1706162 1707857  1708930
> and related backports in R14.12 1705331 1705418 1705428 1705533 1706160 
> 1706163 1707858  1708931
> I have also committed a fix for ContentWorker. For that I have added 
> owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property 
> in content.properties with some explanations. The reason I put this property 
> is because the sanitizer does some (safe) changes which might be unwanted in 
> a context where you are "sure" no one can inject/exploit your DB.
> Here is for instance the changes the sanitizer does when rendering cmssite
> {code}
> @@ -19,7 +19,7 @@
>  
> -
> +
>  This is the header!
>  
> @@ -27,34 +27,26 @@
>  
>Welcome to the CmsSite Home page.
> -  
> +
>
>This is a site to demonstrate the CMS capabilities of OFBiz. 
> Its basic function is the editing of website text
>inside a browser. If you want to edit the text you are reading 
> now, logon to the backend system, select the content component
> -  click on 'cmssite' in the website list and ten click on the 
> 'cms' button. There you see on the left hand side the tree of this website.
> -  If you click on 'homepage' then you can edit the content of 
> this page at the box in the r
> +  click on cmssite in the website list and ten click 
> on the cms button. There you see on the left hand side the tree of 
> this website.
> +  If you click on homepage then you can edit the 
> content of this page at the box in the r
>
>
>This is only the basic function of the CMS which is part of 
> the content component. The content component is actually more than a
>CMS it can also handle documents pretty well. An example is 
> the apache OFBiz document you can see when you click on the last option in 
> the list below.
> -  
> -  
> -  
> -Demo Page 1 - 
> Hard Coded Link
> -Demo Page 1 
> - Hard Coded

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

2015-11-06 Thread Jacques Le Roux (JIRA)


[ 
https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14954165#comment-14954165
 ] 

Jacques Le Roux edited comment on OFBIZ-6669 at 11/6/15 2:57 PM:
-

The ContentWorker is fixed in
trunk r1708274  + r1708560 + r1712971
R14.12 r1708275 + r1708471 + r1712972




was (Author: jacques.le.roux):
The ContentWorker is fixed in
trunk r1708274  + r1708560  
R14.12 r1708275 + r1708471  



> Possible static XSS issue with Content
> --
>
> Key: OFBIZ-6669
> URL: https://issues.apache.org/jira/browse/OFBIZ-6669
> Project: OFBiz
>  Issue Type: Bug
>  Components: content, order, party, product, workeffort
>Affects Versions: Release Branch 12.04, Release Branch 13.07, Release 
> Branch 14.12, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
> Fix For: 14.12.01, Upcoming Branch
>
>
> I found a possible XSS attack through *ContentWrapper.java and ContentWorker 
> itself.
> Note that in supported releases it's hard to exploit, it's a Stored XSS 
> https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you 
> need 1st to somehow inject exploiting code in the DB.
> Issues in *ContentWrapper.java have already been fixed by changing the 
> ContentWrapper interface
> from
> {code}
> public interface ContentWrapper {
> public StringUtil.StringWrapper get(String contentTypeId);
> }
> {code}
> to
> {code}
> public interface ContentWrapper {
> public StringUtil.StringWrapper get(String contentTypeId, String 
> encoderType) {
> }
> {code}
> And changing the Category, Party, Product, ProductPromo, ProductConfigItem 
> and WorkEffort ContentWrapperS accordingly. This means to use 2 types of 
> encoderTypes: "html" and "url".
> The "html"  encoderType will be used for all ProductContentTypes but those 
> who contain URL in their ContentTypeIdS (actually end with, "_URL") which 
> will use "url" encoderType.
> It concerns not only the get() method but also methods like 
> getPartyContentAsText(), getProductContentAsText(), etc.
> It seems a big change but it's straightforward. It's now complete after 
> following commits in revisions (I hope I did not miss to report):
> trunk 1705329 1705417 1705427 1705532 1706159 1706162 1707857  1708930
> and related backports in R14.12 1705331 1705418 1705428 1705533 1706160 
> 1706163 1707858  1708931
> I have also committed a fix for ContentWorker. For that I have added 
> owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property 
> in content.properties with some explanations. The reason I put this property 
> is because the sanitizer does some (safe) changes which might be unwanted in 
> a context where you are "sure" no one can inject/exploit your DB.
> Here is for instance the changes the sanitizer does when rendering cmssite
> {code}
> @@ -19,7 +19,7 @@
>  
> -
> +
>  This is the header!
>  
> @@ -27,34 +27,26 @@
>  
>Welcome to the CmsSite Home page.
> -  
> +
>
>This is a site to demonstrate the CMS capabilities of OFBiz. 
> Its basic function is the editing of website text
>inside a browser. If you want to edit the text you are reading 
> now, logon to the backend system, select the content component
> -  click on 'cmssite' in the website list and ten click on the 
> 'cms' button. There you see on the left hand side the tree of this website.
> -  If you click on 'homepage' then you can edit the content of 
> this page at the box in the r
> +  click on cmssite in the website list and ten click 
> on the cms button. There you see on the left hand side the tree of 
> this website.
> +  If you click on homepage then you can edit the 
> content of this page at the box in the r
>
>
>This is only the basic function of the CMS which is part of 
> the content component. The content component is actually more than a
>CMS it can also handle documents pretty well. An example is 
> the apache OFBiz document you can see when you click on the last option in 
> the list below.
> -  
> -  
> -  
> -Demo Page 1 - 
> Hard Coded Link
> -Demo Page 1 
> - Hard Coded Link using the Sub-Content Pattern
> - href="/cmssite/cms/CMSS_DEMO_PAGE1;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo
>  Page 1 - Dynamic Link
> - href="/cmssite/cms/CMSS_DEMO_SCREEN;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo
>  Page with screen widget and screen decorator
> -

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

2015-11-06 Thread Jacques Le Roux (JIRA)


[ 
https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14993841#comment-14993841
 ] 

Jacques Le Roux edited comment on OFBIZ-6669 at 11/6/15 3:50 PM:
-

I reopen here to allow users to choose to not encode contents in  
*ContentWrapper classes as they already can with ContentWorker class using 
content.sanitize property. Actually I will use another content.encode property 
and will generalize by creating a new UtilCodec.HtmlEncoder.encodeOrNot() 
method and use it in  *ContentWrapper classes.

But the property should not in content application to not introduce a 
dependency from base, not sure where to put it apart in base itself (in a 
owasp.properties maybe) to avoid introducing a dependency in base wich is 
currently clean (deos not depend on another OFBiz component):
{code}
C:\projectASF-Mars\ofbiz\framework\base>"C:\Program 
Files\Java\jdk1.8.0_51\bin\jdeps" build\lib\ofbiz-base.jar
ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\jce.jar
ofbiz-base.jar -> not found
ofbiz-base.jar -> build\lib\ofbiz-base.jar
ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\rt.jar
   org.ofbiz.base.component (ofbiz-base.jar)
  -> java.io
  -> java.lang
  -> java.net
  -> java.security
  -> java.util
  -> java.util.concurrent.atomic
  -> javax.xml.parsers
  -> org.ofbiz.base.config  ofbiz-base.jar
  -> org.ofbiz.base.container   ofbiz-base.jar
  -> org.ofbiz.base.locationofbiz-base.jar
  -> org.ofbiz.base.utilofbiz-base.jar
  -> org.ofbiz.base.util.string ofbiz-base.jar
  -> org.w3c.dom
  -> org.xml.sax
   org.ofbiz.base.concurrent (ofbiz-base.jar)
  -> java.lang
  -> java.util
  -> java.util.concurrent
  -> org.ofbiz.base.utilofbiz-base.jar
   org.ofbiz.base.config (ofbiz-base.jar)
  -> java.io
  -> java.lang
  -> java.net
  -> java.util
  -> java.util.concurrent
  -> javax.xml.parsers
  -> org.ofbiz.base.utilofbiz-base.jar
  -> org.ofbiz.base.util.cache  ofbiz-base.jar
  -> org.w3c.dom
  -> org.xml.sax
   org.ofbiz.base.container (ofbiz-base.jar)
  -> bshnot found
  -> java.io
  -> java.lang
  -> java.net
  -> java.rmi
  -> java.rmi.registry
  -> java.rmi.server
  -> java.util
  -> java.util.concurrent.atomic
  -> javax.xml.parsers
  -> org.ofbiz.base.component   ofbiz-base.jar
  -> org.ofbiz.base.config  ofbiz-base.jar
  -> org.ofbiz.base.start   not found
  -> org.ofbiz.base.utilofbiz-base.jar
  -> org.w3c.dom
  -> org.xml.sax
   org.ofbiz.base.conversion (ofbiz-base.jar)
  -> com.ibm.icu.util   not found
  -> java.io
  -> java.lang
  -> java.lang.reflect
  -> java.math
  -> java.net
  -> java.nio
  -> java.nio.charset
  -> java.sql
  -> java.text
  -> java.util
  -> java.util.concurrent
  -> java.util.regex
  -> javax.sql.rowset.serial
  -> org.ofbiz.base.langofbiz-base.jar
  -> org.ofbiz.base.utilofbiz-base.jar
   org.ofbiz.base.crypto (ofbiz-base.jar)
  -> java.io
  -> java.lang
  -> java.nio.charset
  -> java.security
  -> java.security.spec
  -> java.util
  -> javax.crypto
  -> javax.crypto.spec
  -> org.apache.commons.codec.binarynot found
  -> org.apache.commons.langnot found
  -> org.apache.shiro.cryptonot found
  -> org.ofbiz.base.utilofbiz-base.jar
   org.ofbiz.base.lang (ofbiz-base.jar)
  -> com.fasterxml.jackson.databind not found
  -> java.io
  -> java.lang
  -> java.lang.annotation
  -> org.apache.commons.io  not found
  -> org.ofbiz.base.utilofbiz-base.jar
   org.ofbiz.base.location (ofbiz-base.jar)
  -> java.io
  -> java.lang
  -> java.net
  -> java.util
  -> org.ofbiz.base.component   ofbiz-base.jar
  -> org.ofbiz.base.utilofbiz-base.jar
   org.ofbiz.base.metrics (ofbiz-base.jar)
  -> java.lang
  -> java.util
  -> org.ofbiz.base.utilofbiz-base.jar
  -> org.ofbiz.base.util.cache  ofbiz-base.jar
  -> org.w3c.dom

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

2015-11-06 Thread Jacques Le Roux (JIRA)


[ 
https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14993841#comment-14993841
 ] 

Jacques Le Roux edited comment on OFBIZ-6669 at 11/6/15 3:51 PM:
-

I reopen here to allow users to choose to not encode contents in  
*ContentWrapper classes as they already can with ContentWorker class using 
content.sanitize property. Actually I will use another content.encode property 
and will generalize by creating a new UtilCodec.HtmlEncoder.encodeOrNot() 
method and use it in  *ContentWrapper classes.

But the property should not in content application to not introduce a 
dependency from base, not sure where to put it apart in base itself (in a 
owasp.properties maybe) to avoid introducing a dependency in base wich is 
currently clean (does not depend on another OFBiz component):
{code}
C:\projectASF-Mars\ofbiz\framework\base>"C:\Program 
Files\Java\jdk1.8.0_51\bin\jdeps" build\lib\ofbiz-base.jar
ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\jce.jar
ofbiz-base.jar -> not found
ofbiz-base.jar -> build\lib\ofbiz-base.jar
ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\rt.jar
   org.ofbiz.base.component (ofbiz-base.jar)
  -> java.io
  -> java.lang
  -> java.net
  -> java.security
  -> java.util
  -> java.util.concurrent.atomic
  -> javax.xml.parsers
  -> org.ofbiz.base.config  ofbiz-base.jar
  -> org.ofbiz.base.container   ofbiz-base.jar
  -> org.ofbiz.base.locationofbiz-base.jar
  -> org.ofbiz.base.utilofbiz-base.jar
  -> org.ofbiz.base.util.string ofbiz-base.jar
  -> org.w3c.dom
  -> org.xml.sax
   org.ofbiz.base.concurrent (ofbiz-base.jar)
  -> java.lang
  -> java.util
  -> java.util.concurrent
  -> org.ofbiz.base.utilofbiz-base.jar
   org.ofbiz.base.config (ofbiz-base.jar)
  -> java.io
  -> java.lang
  -> java.net
  -> java.util
  -> java.util.concurrent
  -> javax.xml.parsers
  -> org.ofbiz.base.utilofbiz-base.jar
  -> org.ofbiz.base.util.cache  ofbiz-base.jar
  -> org.w3c.dom
  -> org.xml.sax
   org.ofbiz.base.container (ofbiz-base.jar)
  -> bshnot found
  -> java.io
  -> java.lang
  -> java.net
  -> java.rmi
  -> java.rmi.registry
  -> java.rmi.server
  -> java.util
  -> java.util.concurrent.atomic
  -> javax.xml.parsers
  -> org.ofbiz.base.component   ofbiz-base.jar
  -> org.ofbiz.base.config  ofbiz-base.jar
  -> org.ofbiz.base.start   not found
  -> org.ofbiz.base.utilofbiz-base.jar
  -> org.w3c.dom
  -> org.xml.sax
   org.ofbiz.base.conversion (ofbiz-base.jar)
  -> com.ibm.icu.util   not found
  -> java.io
  -> java.lang
  -> java.lang.reflect
  -> java.math
  -> java.net
  -> java.nio
  -> java.nio.charset
  -> java.sql
  -> java.text
  -> java.util
  -> java.util.concurrent
  -> java.util.regex
  -> javax.sql.rowset.serial
  -> org.ofbiz.base.langofbiz-base.jar
  -> org.ofbiz.base.utilofbiz-base.jar
   org.ofbiz.base.crypto (ofbiz-base.jar)
  -> java.io
  -> java.lang
  -> java.nio.charset
  -> java.security
  -> java.security.spec
  -> java.util
  -> javax.crypto
  -> javax.crypto.spec
  -> org.apache.commons.codec.binarynot found
  -> org.apache.commons.langnot found
  -> org.apache.shiro.cryptonot found
  -> org.ofbiz.base.utilofbiz-base.jar
   org.ofbiz.base.lang (ofbiz-base.jar)
  -> com.fasterxml.jackson.databind not found
  -> java.io
  -> java.lang
  -> java.lang.annotation
  -> org.apache.commons.io  not found
  -> org.ofbiz.base.utilofbiz-base.jar
   org.ofbiz.base.location (ofbiz-base.jar)
  -> java.io
  -> java.lang
  -> java.net
  -> java.util
  -> org.ofbiz.base.component   ofbiz-base.jar
  -> org.ofbiz.base.utilofbiz-base.jar
   org.ofbiz.base.metrics (ofbiz-base.jar)
  -> java.lang
  -> java.util
  -> org.ofbiz.base.utilofbiz-base.jar
  -> org.ofbiz.base.util.cache  ofbiz-base.jar
  -> org.w3c.dom

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

2015-10-16 Thread Jacques Le Roux (JIRA)


[ 
https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14960507#comment-14960507
 ] 

Jacques Le Roux edited comment on OFBIZ-6669 at 10/16/15 10:56 AM:
---

I wonder if we should not close here and create a new issue for the (maybe not 
easy) backporting task, opinions? On the other hand having all here seems 
easier...

OK I create a subtask :D


was (Author: jacques.le.roux):
I wonder if we should not close here and create a new issue for the (maybe not 
easy) backporting task, opinions? On the other hand having all here seems 
easier...

> Possible static XSS issue with Content
> --
>
> Key: OFBIZ-6669
> URL: https://issues.apache.org/jira/browse/OFBIZ-6669
> Project: OFBiz
>  Issue Type: Bug
>  Components: content, order, party, product, workeffort
>Affects Versions: Release Branch 12.04, Release Branch 13.07, Release 
> Branch 14.12, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
> Fix For: 14.12.01, Upcoming Branch
>
>
> I found a possible XSS attack through *ContentWrapper.java and ContentWorker 
> itself.
> Note that in supported releases it's hard to exploit, it's a Stored XSS 
> https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you 
> need 1st to somehow inject exploiting code in the DB.
> Issues in *ContentWrapper.java have already been fixed by changing the 
> ContentWrapper interface
> from
> {code}
> public interface ContentWrapper {
> public StringUtil.StringWrapper get(String contentTypeId);
> }
> {code}
> to
> {code}
> public interface ContentWrapper {
> public StringUtil.StringWrapper get(String contentTypeId, String 
> encoderType) {
> }
> {code}
> And changing the Category, Party, Product, ProductPromo, ProductConfigItem 
> and WorkEffort ContentWrapperS accordingly. This means to use 2 types of 
> encoderTypes: "html" and "url".
> The "html"  encoderType will be used for all ProductContentTypes but those 
> who contain URL in their ContentTypeIdS (actually end with, "_URL") which 
> will use "url" encoderType.
> It concerns not only the get() method but also methods like 
> getPartyContentAsText(), getProductContentAsText(), etc.
> It seems a big change but it's straightforward. It's now complete after 
> following commits in revisions (I hope I did not miss to report):
> trunk 1705329 1705417 1705427 1705532 1706159 1706162 1707857  1708930
> and related backports in R14.12 1705331 1705418 1705428 1705533 1706160 
> 1706163 1707858  1708931
> I have also committed a fix for ContentWorker. For that I have added 
> owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property 
> in content.properties with some explanations. The reason I put this property 
> is because the sanitizer does some (safe) changes which might be unwanted in 
> a context where you are "sure" no one can inject/exploit your DB.
> Here is for instance the changes the sanitizer does when rendering cmssite
> {code}
> @@ -19,7 +19,7 @@
>  
> -
> +
>  This is the header!
>  
> @@ -27,34 +27,26 @@
>  
>Welcome to the CmsSite Home page.
> -  
> +
>
>This is a site to demonstrate the CMS capabilities of OFBiz. 
> Its basic function is the editing of website text
>inside a browser. If you want to edit the text you are reading 
> now, logon to the backend system, select the content component
> -  click on 'cmssite' in the website list and ten click on the 
> 'cms' button. There you see on the left hand side the tree of this website.
> -  If you click on 'homepage' then you can edit the content of 
> this page at the box in the r
> +  click on cmssite in the website list and ten click 
> on the cms button. There you see on the left hand side the tree of 
> this website.
> +  If you click on homepage then you can edit the 
> content of this page at the box in the r
>
>
>This is only the basic function of the CMS which is part of 
> the content component. The content component is actually more than a
>CMS it can also handle documents pretty well. An example is 
> the apache OFBiz document you can see when you click on the last option in 
> the list below.
> -  
> -  
> -  
> -Demo Page 1 - 
> Hard Coded Link
> -Demo Page 1 
> - Hard Coded Link using the Sub-Content Pattern
> - href="/cmssite/cms/CMSS_DEMO_PAGE1;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo
>  Page 1 - Dynamic Link
> -

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

2015-10-14 Thread Jacques Le Roux (JIRA)


[ 
https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14954165#comment-14954165
 ] 

Jacques Le Roux edited comment on OFBIZ-6669 at 10/14/15 8:52 AM:
--

The ContentWorker is fixed in
trunk r1708274  + r1708560  
R14.12 r1708275 + r1708471  




was (Author: jacques.le.roux):
The ContentWorker is fixed in
trunk r1708274  
R14.12 r1708275 + r1708471  



> Possible static XSS issue with Content
> --
>
> Key: OFBIZ-6669
> URL: https://issues.apache.org/jira/browse/OFBIZ-6669
> Project: OFBiz
>  Issue Type: Bug
>  Components: content, order, party, product, workeffort
>Affects Versions: Release Branch 12.04, Release Branch 13.07, Release 
> Branch 14.12, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
> Fix For: 14.12.01, Upcoming Branch
>
>
> I found a possible XSS attack through *ContentWrapper.java and ContentWorker 
> itself.
> Note that in supported releases it's hard to exploit, it's a Stored XSS 
> https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you 
> need 1st to somehow inject exploiting code in the DB.
> Issues in *ContentWrapper.java have already been fixed by changing the 
> ContentWrapper interface
> from
> {code}
> public interface ContentWrapper {
> public StringUtil.StringWrapper get(String contentTypeId);
> }
> {code}
> to
> {code}
> public interface ContentWrapper {
> public StringUtil.StringWrapper get(String contentTypeId, String 
> encoderType) {
> }
> {code}
> And changing the Category, Party, Product, ProductPromo, ProductConfigItem 
> and WorkEffort ContentWrapperS accordingly. This means to use 2 types of 
> encoderTypes: "html" and "url".
> The "html"  encoderType will be used for all ProductContentTypes but those 
> who contain URL in their ContentTypeIdS (actually end with, "_URL") which 
> will use "url" encoderType.
> It concerns not only the get() method but also methods like 
> getPartyContentAsText(), getProductContentAsText(), etc.
> It seems a big change but it's straightforward. It's now complete after 
> following commits in revisions (I hope I did not miss to report):
> trunk 1705329 1705417 1705427 1705532 1706159 1706162 1707857
> and related backports in R14.12 1705331 1705418 1705428 1705533 1706160 
> 1706163 1707858
> I have also committed a fix for ContentWorker. For that I have added 
> owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property 
> in content.properties with some explanations. The reason I put this property 
> is because the sanitizer does some (safe) changes which might be unwanted in 
> a context where you are "sure" no one can inject/exploit your DB.
> Here is for instance the changes the sanitizer does when rendering cmssite
> {code}
> @@ -19,7 +19,7 @@
>  
> -
> +
>  This is the header!
>  
> @@ -27,34 +27,26 @@
>  
>Welcome to the CmsSite Home page.
> -  
> +
>
>This is a site to demonstrate the CMS capabilities of OFBiz. 
> Its basic function is the editing of website text
>inside a browser. If you want to edit the text you are reading 
> now, logon to the backend system, select the content component
> -  click on 'cmssite' in the website list and ten click on the 
> 'cms' button. There you see on the left hand side the tree of this website.
> -  If you click on 'homepage' then you can edit the content of 
> this page at the box in the r
> +  click on cmssite in the website list and ten click 
> on the cms button. There you see on the left hand side the tree of 
> this website.
> +  If you click on homepage then you can edit the 
> content of this page at the box in the r
>
>
>This is only the basic function of the CMS which is part of 
> the content component. The content component is actually more than a
>CMS it can also handle documents pretty well. An example is 
> the apache OFBiz document you can see when you click on the last option in 
> the list below.
> -  
> -  
> -  
> -Demo Page 1 - 
> Hard Coded Link
> -Demo Page 1 
> - Hard Coded Link using the Sub-Content Pattern
> - href="/cmssite/cms/CMSS_DEMO_PAGE1;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo
>  Page 1 - Dynamic Link
> - href="/cmssite/cms/CMSS_DEMO_SCREEN;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo
>  Page with screen widget and screen decorator
> -

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

2015-10-13 Thread Jacques Le Roux (JIRA)


[ 
https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14954165#comment-14954165
 ] 

Jacques Le Roux edited comment on OFBIZ-6669 at 10/13/15 5:29 PM:
--

The ContentWorker is fixed in
trunk r1708274  
R14.12 r1708275 + r1708471  




was (Author: jacques.le.roux):
The ContentWorker is fixed in
trunk r1708274  
R14.12 r1708275



> Possible static XSS issue with Content
> --
>
> Key: OFBIZ-6669
> URL: https://issues.apache.org/jira/browse/OFBIZ-6669
> Project: OFBiz
>  Issue Type: Bug
>  Components: content, order, party, product, workeffort
>Affects Versions: Release Branch 12.04, Release Branch 13.07, Release 
> Branch 14.12, Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
> Fix For: 14.12.01, Upcoming Branch
>
>
> I found a possible XSS attack through *ContentWrapper.java and ContentWorker 
> itself.
> Note that in supported releases it's hard to exploit, it's a Stored XSS 
> https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you 
> need 1st to somehow inject exploiting code in the DB.
> Issues in *ContentWrapper.java have already been fixed by changing the 
> ContentWrapper interface
> from
> {code}
> public interface ContentWrapper {
> public StringUtil.StringWrapper get(String contentTypeId);
> }
> {code}
> to
> {code}
> public interface ContentWrapper {
> public StringUtil.StringWrapper get(String contentTypeId, String 
> encoderType) {
> }
> {code}
> And changing the Category, Party, Product, ProductPromo, ProductConfigItem 
> and WorkEffort ContentWrapperS accordingly. This means to use 2 types of 
> encoderTypes: "html" and "url".
> The "html"  encoderType will be used for all ProductContentTypes but those 
> who contain URL in their ContentTypeIdS (actually end with, "_URL") which 
> will use "url" encoderType.
> It concerns not only the get() method but also methods like 
> getPartyContentAsText(), getProductContentAsText(), etc.
> It seems a big change but it's straightforward. It's now complete after 
> following commits in revisions (I hope I did not miss to report):
> trunk 1705329 1705417 1705427 1705532 1706159 1706162 1707857
> and related backports in R14.12 1705331 1705418 1705428 1705533 1706160 
> 1706163 1707858
> I have also committed a fix for ContentWorker. For that I have added 
> owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property 
> in content.properties with some explanations. The reason I put this property 
> is because the sanitizer does some (safe) changes which might be unwanted in 
> a context where you are "sure" no one can inject/exploit your DB.
> Here is for instance the changes the sanitizer does when rendering cmssite
> {code}
> @@ -19,7 +19,7 @@
>  
> -
> +
>  This is the header!
>  
> @@ -27,34 +27,26 @@
>  
>Welcome to the CmsSite Home page.
> -  
> +
>
>This is a site to demonstrate the CMS capabilities of OFBiz. 
> Its basic function is the editing of website text
>inside a browser. If you want to edit the text you are reading 
> now, logon to the backend system, select the content component
> -  click on 'cmssite' in the website list and ten click on the 
> 'cms' button. There you see on the left hand side the tree of this website.
> -  If you click on 'homepage' then you can edit the content of 
> this page at the box in the r
> +  click on cmssite in the website list and ten click 
> on the cms button. There you see on the left hand side the tree of 
> this website.
> +  If you click on homepage then you can edit the 
> content of this page at the box in the r
>
>
>This is only the basic function of the CMS which is part of 
> the content component. The content component is actually more than a
>CMS it can also handle documents pretty well. An example is 
> the apache OFBiz document you can see when you click on the last option in 
> the list below.
> -  
> -  
> -  
> -Demo Page 1 - 
> Hard Coded Link
> -Demo Page 1 
> - Hard Coded Link using the Sub-Content Pattern
> - href="/cmssite/cms/CMSS_DEMO_PAGE1;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo
>  Page 1 - Dynamic Link
> - href="/cmssite/cms/CMSS_DEMO_SCREEN;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo
>  Page with screen widget and screen decorator
> - href="/cmssite/cms/CMSS_DEMO_BLOG;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo
>  Page with blog

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

[jira] [Comment Edited] (OFBIZ-6669) Possible static XSS issue with Content

7 matches

Site Navigation

Mail list logo

Footer information