Good afternoon guys! Do you know how I can make sure that I'm using non-vulnerable version?
According to this email, I need to upgrade from ofbiz 10.04 to 10.04.02. But I'm using the optimized version which have been derived from Ofbiz 9.x. And we customized a lot, so I cannot simply upgrade to 10.04.02. I check the trunk and tag, and it looks like there was lots of changes b/w 10.04(1060844) and 10.04.02(1326267). So I'm not sure which part I need to take a look to make sure my version is secured. Can you give me an idea how I can check my version? Thank you for reading. Soon-won On Sun, Apr 15, 2012 at 9:33 AM, Jacopo Cappellato <[email protected]> wrote: > CVE-2012-1621: Apache OFBiz information disclosure vulnerability > > Severity: Important > > Vendor: > The Apache Software Foundation - Apache OFBiz > > ======Versions Affected====== > > Apache OFBiz 10.04 (also known as 10.04.01) > > ======Description====== > > Multiple XSS: > > XSS 1: > Error messages containing user input returned via ajax requests > weren't being escaped > > XSS 2: > Parameter arrays (converted to Lists by OFBiz) weren't being > auto-encoded in freemarker templates. An attacker could send multiple > parameters sharing the same name where only a single value was > expected, because the value was a List instead of a String rendering > the parameter in freemarker via ${parameter} would bypass OFBiz's > automatic html encoding. > > XSS 3: > Requests that used the cms event were susceptible to XSS attacks via > the contentId and mapKey parameters because if the content was found > to be missing an unencoded error message containing the supplied > values was being streamed to the browser. > > XSS 4: > Requests that used the experimental Webslinger component were susceptible to > XSS attacks > > ====== Mitigation====== > > 10.04 users should upgrade to 10.04.02 > > ======Credit====== > > These issues were discovered by Matias Madou ([email protected]) of Fortify/HP > Security Research Group
