[jira] [Commented] (OFBIZ-10676) Self XSS
[ https://issues.apache.org/jira/browse/OFBIZ-10676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16701010#comment-16701010 ] Scott Gray commented on OFBIZ-10676: Just to clarify for anyone reading this and being concerned, this isn't a security vulnerability and presents no risk of attack to users. After being sent to the server via AJAX to update the record, the data is inserted directly into the page without being html encoded, and this triggers the script. However, only the logged in user that inserted the script is affected (immediately after submission), subsequent page loads by this user or any other user renders the script unexecutable because it is correctly encoded as html in both view and edit mode when being rendered server-side. So it's simply a UI bug rather than a vulnerability. Thanks for the report Dinesh > Self XSS > > > Key: OFBIZ-10676 > URL: https://issues.apache.org/jira/browse/OFBIZ-10676 > Project: OFBiz > Issue Type: Bug > Components: scrum >Affects Versions: Trunk, 16.11.05 >Reporter: Dinesh Mohanty >Assignee: Benjamin Jugl >Priority: Major > Labels: security > > An Self XSS Vulnerability is present for "Product Backlog Item" for adding a > Product Backlog details of the issue has been emailed to security team. > *Steps to Reproduce:* > 1. Login into Scrum Management Portal as *productowner* and click on your > desired product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"* > 2. The above url in my case is > [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1] > 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the > value to *alert(1)* and click on OK > 4. One can see that the XSS payload executed confirming the Self XSS > Note: Same has been confirmed by Security Team so publishing publicly through > Ofbiz Jira platform. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10667) User should redirect to view cart page after adding the product from compare product screen
[ https://issues.apache.org/jira/browse/OFBIZ-10667?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-10667: --- Assignee: (was: Jacques Le Roux) > User should redirect to view cart page after adding the product from compare > product screen > --- > > Key: OFBIZ-10667 > URL: https://issues.apache.org/jira/browse/OFBIZ-10667 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Ratnesh Upadhyay >Priority: Major > Attachments: OFBIZ-10667.patch > > > Currently user is navigating add item page instead of view cart page while > adding product to cart from compare product screen. User gets stuck after > navigating over add item page. > Steps to replicate the issue: > 1. Go to eCommerce application. > 2. Click on add to compare button for the products - Round Gizmo and Tiny > Chrome Widget. > 3. Click on 'Compare Products' from right bar. > 4. Click on 'Add to cart' over compare product screen. > Expected behaviour : User should be redirected to view cart page instead of > add item page. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10667) User should redirect to view cart page after adding the product from compare product screen
[ https://issues.apache.org/jira/browse/OFBIZ-10667?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-10667: --- Assignee: Jacques Le Roux (was: Ritesh Kumar) > User should redirect to view cart page after adding the product from compare > product screen > --- > > Key: OFBIZ-10667 > URL: https://issues.apache.org/jira/browse/OFBIZ-10667 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Ratnesh Upadhyay >Assignee: Jacques Le Roux >Priority: Major > Attachments: OFBIZ-10667.patch > > > Currently user is navigating add item page instead of view cart page while > adding product to cart from compare product screen. User gets stuck after > navigating over add item page. > Steps to replicate the issue: > 1. Go to eCommerce application. > 2. Click on add to compare button for the products - Round Gizmo and Tiny > Chrome Widget. > 3. Click on 'Compare Products' from right bar. > 4. Click on 'Add to cart' over compare product screen. > Expected behaviour : User should be redirected to view cart page instead of > add item page. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10667) User should redirect to view cart page after adding the product from compare product screen
[ https://issues.apache.org/jira/browse/OFBIZ-10667?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16700271#comment-16700271 ] Jacques Le Roux commented on OFBIZ-10667: - There is a problem with this fix. It changes the behaviour of additem when you add an item from the main or another page. The behaviour is defined by the "Always View Cart After Adding An Item." checkbox in the cart view. > User should redirect to view cart page after adding the product from compare > product screen > --- > > Key: OFBIZ-10667 > URL: https://issues.apache.org/jira/browse/OFBIZ-10667 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Ratnesh Upadhyay >Assignee: Jacques Le Roux >Priority: Major > Attachments: OFBIZ-10667.patch > > > Currently user is navigating add item page instead of view cart page while > adding product to cart from compare product screen. User gets stuck after > navigating over add item page. > Steps to replicate the issue: > 1. Go to eCommerce application. > 2. Click on add to compare button for the products - Round Gizmo and Tiny > Chrome Widget. > 3. Click on 'Compare Products' from right bar. > 4. Click on 'Add to cart' over compare product screen. > Expected behaviour : User should be redirected to view cart page instead of > add item page. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-9768) While converting the lead, it redirects to the Create Party Relationship in SFA component
[ https://issues.apache.org/jira/browse/OFBIZ-9768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16700257#comment-16700257 ] Jacques Le Roux commented on OFBIZ-9768: I tried the patch, the idea seems good. When on the the Lead conversion page I clicked on the Submit button and got: bq. Exception thrown while creating the "newEntity" GenericValue: org.apache.ofbiz.entity.GenericEntityException: Error while inserting: [GenericEntity:PartyRelationship][createdStamp,2018-11-27 12:07:44.339(java.sql.Timestamp)][createdTxStamp,2018-11-27 12:07:44.216(java.sql.Timestamp)][fromDate,2018-11-27 12:07:44.339(java.sql.Timestamp)][lastUpdatedStamp,2018-11-27 12:07:44.339(java.sql.Timestamp)][lastUpdatedTxStamp,2018-11-27 12:07:44.216(java.sql.Timestamp)][partyIdFrom,admin(java.lang.String)][partyIdTo,sfa102(java.lang.String)][partyRelationshipTypeId,ACCOUNT(java.lang.String)][roleTypeIdFrom,OWNER(java.lang.String)][roleTypeIdTo,ACCOUNT(java.lang.String)] (SQL Exception while executing the following:INSERT INTO OFBIZ.PARTY_RELATIONSHIP (PARTY_ID_FROM, PARTY_ID_TO, ROLE_TYPE_ID_FROM, ROLE_TYPE_ID_TO, FROM_DATE, THRU_DATE, STATUS_ID, RELATIONSHIP_NAME, SECURITY_GROUP_ID, PRIORITY_TYPE_ID, PARTY_RELATIONSHIP_TYPE_ID, PERMISSIONS_ENUM_ID, POSITION_TITLE, COMMENTS, LAST_UPDATED_STAMP, LAST_UPDATED_TX_STAMP, CREATED_STAMP, CREATED_TX_STAMP) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (INSERT on table 'PARTY_RELATIONSHIP' caused a violation of foreign key constraint 'PARTY_REL_FPROLE' for key (admin,OWNER). The statement has been rolled back.)) (Error while inserting: [GenericEntity:PartyRelationship][createdStamp,2018-11-27 12:07:44.339(java.sql.Timestamp)][createdTxStamp,2018-11-27 12:07:44.216(java.sql.Timestamp)][fromDate,2018-11-27 12:07:44.339(java.sql.Timestamp)][lastUpdatedStamp,2018-11-27 12:07:44.339(java.sql.Timestamp)][lastUpdatedTxStamp,2018-11-27 12:07:44.216(java.sql.Timestamp)][partyIdFrom,admin(java.lang.String)][partyIdTo,sfa102(java.lang.String)][partyRelationshipTypeId,ACCOUNT(java.lang.String)][roleTypeIdFrom,OWNER(java.lang.String)][roleTypeIdTo,ACCOUNT(java.lang.String)] (SQL Exception while executing the following:INSERT INTO OFBIZ.PARTY_RELATIONSHIP (PARTY_ID_FROM, PARTY_ID_TO, ROLE_TYPE_ID_FROM, ROLE_TYPE_ID_TO, FROM_DATE, THRU_DATE, STATUS_ID, RELATIONSHIP_NAME, SECURITY_GROUP_ID, PRIORITY_TYPE_ID, PARTY_RELATIONSHIP_TYPE_ID, PERMISSIONS_ENUM_ID, POSITION_TITLE, COMMENTS, LAST_UPDATED_STAMP, LAST_UPDATED_TX_STAMP, CREATED_STAMP, CREATED_TX_STAMP) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (INSERT on table 'PARTY_RELATIONSHIP' caused a violation of foreign key constraint 'PARTY_REL_FPROLE' for key (admin,OWNER). The statement has been rolled back.))) Not sure it's an issue on my side or generic. To be checked, thanks > While converting the lead, it redirects to the Create Party Relationship in > SFA component > - > > Key: OFBIZ-9768 > URL: https://issues.apache.org/jira/browse/OFBIZ-9768 > Project: OFBiz > Issue Type: Bug >Affects Versions: Release Branch 13.07, Trunk, Release Branch 16.11, > Release Branch 17.12 >Reporter: Rubia Elza Joshep >Assignee: Suraj Khurana >Priority: Major > Attachments: OFBIZ-9768.patch, screenshot-1.png, screenshot-2.png > > > Steps to regenerate: > 1) Open URL > https://demo-trunk.ofbiz.apache.org/sfa/control/viewprofile?roleTypeId=LEAD&partyId=10007 > 2) Click on Convert lead and select the related company and click on Add. > 3) It redirects to the Create Party Relationship. > Expected: It should redirect to the Lead conversion page since the company is > associated. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-5048) Multi Part Input Parameters not Available in Groovy Event
[ https://issues.apache.org/jira/browse/OFBIZ-5048?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16700173#comment-16700173 ] Jacques Le Roux commented on OFBIZ-5048: I see no problems with that Deepak, just that I only reviewed (simple enough) and did not test. > Multi Part Input Parameters not Available in Groovy Event > - > > Key: OFBIZ-5048 > URL: https://issues.apache.org/jira/browse/OFBIZ-5048 > Project: OFBiz > Issue Type: New Feature > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Vikramjit Singh >Assignee: Jacques Le Roux >Priority: Major > Fix For: Upcoming Branch > > Attachments: GroovyEventMultipartParametes.patch, OFBIZ-5048.patch, > OFBIZ-5048V2.patch > > > If form is of type enctype="multipart/form-data" and we are handling it's > submission through Groovy Event then in the parameters Map Ofbiz does not set > the multipart input parameters from request parameters. > The same are available when multipart form submission is handled through > service. > The reason being the code that sets the multipart parameters in request > attribute is only available in ServiceEventHandler.java and in > GroovyEventHandler the multipart are never set. > So I have created a method getMultiPartParameterMap in the class > UtilHttp.java and put the common logic in that method so that when > getCombinedMap method is called from the GroovEventHandler the method also > call getMultiPartParameterMap and in the ServiceEventHandler I have written a > call for getMultiPartParameterMap method. > I am attaching the Patch Kindly Verify the same. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10676) Self XSS
[ https://issues.apache.org/jira/browse/OFBIZ-10676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dinesh Mohanty updated OFBIZ-10676: --- Description: An Self XSS Vulnerability is present for "Product Backlog Item" for adding a Product Backlog details of the issue has been emailed to security team. *Steps to Reproduce:* 1. Login into Scrum Management Portal as *productowner* and click on your desired product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"* 2. The above url in my case is [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1] 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the value to *alert(1)* and click on OK 4. One can see that the XSS payload executed confirming the Self XSS Note: Same has been confirmed by Security Team so publishing publicly through Ofbiz Jira platform. was: An Self XSS Vulnerability is present for "Product Backlog Item" for adding a Product Backlog details of the issue has been emailed to security team. *Steps to Reproduce:* 1. Login into Scrum Management Portal as admin and click on your desired product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"* 2. The above url in my case is [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1] 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the value to *alert(1)* and click on OK 4. One can see that the XSS payload executed confirming the Self XSS Note: Same has been confirmed by Security Team so publishing publicly through Ofbiz Jira platform. > Self XSS > > > Key: OFBIZ-10676 > URL: https://issues.apache.org/jira/browse/OFBIZ-10676 > Project: OFBiz > Issue Type: Bug > Components: scrum >Affects Versions: Trunk, 16.11.05 >Reporter: Dinesh Mohanty >Assignee: Benjamin Jugl >Priority: Major > Labels: security > > An Self XSS Vulnerability is present for "Product Backlog Item" for adding a > Product Backlog details of the issue has been emailed to security team. > *Steps to Reproduce:* > 1. Login into Scrum Management Portal as *productowner* and click on your > desired product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"* > 2. The above url in my case is > [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1] > 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the > value to *alert(1)* and click on OK > 4. One can see that the XSS payload executed confirming the Self XSS > Note: Same has been confirmed by Security Team so publishing publicly through > Ofbiz Jira platform. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10676) Self XSS
[ https://issues.apache.org/jira/browse/OFBIZ-10676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benjamin Jugl reassigned OFBIZ-10676: - Assignee: Benjamin Jugl > Self XSS > > > Key: OFBIZ-10676 > URL: https://issues.apache.org/jira/browse/OFBIZ-10676 > Project: OFBiz > Issue Type: Bug > Components: scrum >Affects Versions: Trunk, 16.11.05 >Reporter: Dinesh Mohanty >Assignee: Benjamin Jugl >Priority: Major > Labels: security > > An Self XSS Vulnerability is present for "Product Backlog Item" for adding a > Product Backlog details of the issue has been emailed to security team. > *Steps to Reproduce:* > 1. Login into Scrum Management Portal as admin and click on your desired > product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"* > 2. The above url in my case is > [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1] > 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the > value to *alert(1)* and click on OK > 4. One can see that the XSS payload executed confirming the Self XSS > Note: Same has been confirmed by Security Team so publishing publicly through > Ofbiz Jira platform. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10676) Self XSS
[ https://issues.apache.org/jira/browse/OFBIZ-10676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Brohl updated OFBIZ-10676: -- Affects Version/s: Trunk > Self XSS > > > Key: OFBIZ-10676 > URL: https://issues.apache.org/jira/browse/OFBIZ-10676 > Project: OFBiz > Issue Type: Bug > Components: scrum >Affects Versions: Trunk, 16.11.05 >Reporter: Dinesh Mohanty >Priority: Major > Labels: security > > An Self XSS Vulnerability is present for "Product Backlog Item" for adding a > Product Backlog details of the issue has been emailed to security team. > *Steps to Reproduce:* > 1. Login into Scrum Management Portal as admin and click on your desired > product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"* > 2. The above url in my case is > [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1] > 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the > value to *alert(1)* and click on OK > 4. One can see that the XSS payload executed confirming the Self XSS > Note: Same has been confirmed by Security Team so publishing publicly through > Ofbiz Jira platform. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-10676) Self XSS
Dinesh Mohanty created OFBIZ-10676: -- Summary: Self XSS Key: OFBIZ-10676 URL: https://issues.apache.org/jira/browse/OFBIZ-10676 Project: OFBiz Issue Type: Bug Components: scrum Affects Versions: 16.11.05 Reporter: Dinesh Mohanty An Self XSS Vulnerability is present for "Product Backlog Item" for adding a ProductBacklog details of the issue has been emailed to security team -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10676) Self XSS
[ https://issues.apache.org/jira/browse/OFBIZ-10676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dinesh Mohanty updated OFBIZ-10676: --- Description: An Self XSS Vulnerability is present for "Product Backlog Item" for adding a Product Backlog details of the issue has been emailed to security team. *Steps to Reproduce:* 1. Login into Scrum Management Portal as admin and click on your desired product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"* 2. The above url in my case is [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1] 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the value to *alert(1)* and click on OK 4. One can see that the XSS payload executed confirming the Self XSS Note: Same has been confirmed by Security Team so publishing publicly through Ofbiz Jira platform. was:An Self XSS Vulnerability is present for "Product Backlog Item" for adding a ProductBacklog details of the issue has been emailed to security team > Self XSS > > > Key: OFBIZ-10676 > URL: https://issues.apache.org/jira/browse/OFBIZ-10676 > Project: OFBiz > Issue Type: Bug > Components: scrum >Affects Versions: 16.11.05 >Reporter: Dinesh Mohanty >Priority: Major > Labels: security > > An Self XSS Vulnerability is present for "Product Backlog Item" for adding a > Product Backlog details of the issue has been emailed to security team. > *Steps to Reproduce:* > 1. Login into Scrum Management Portal as admin and click on your desired > product in default instance it's *"Demo Product 1 [DEMO-PRODUCT-1]"* > 2. The above url in my case is > [https://localhost:8443/scrum/control/AddProductBacklog?productId=DEMO-PRODUCT-1] > 3. Now double click on any of the "*PRODUCT BACKLOG ITEM*" and change the > value to *alert(1)* and click on OK > 4. One can see that the XSS payload executed confirming the Self XSS > Note: Same has been confirmed by Security Team so publishing publicly through > Ofbiz Jira platform. -- This message was sent by Atlassian JIRA (v7.6.3#76005)