The bugs have been reported on the 10.04 series and if you are running 09.04 you should not be affected; of course there are good reason to plan for the upgrade to 10.04 because the 09.04 is an old branch and, according with the current release plan, it is now closed:
http://ofbiz.apache.org/download.html Jacopo On May 23, 2012, at 9:25 PM, Soon Won Park wrote: > Good afternoon guys! > > Do you know how I can make sure that I'm using non-vulnerable version? > > According to this email, I need to upgrade from ofbiz 10.04 to > 10.04.02. But I'm using the optimized version which have been derived > from Ofbiz 9.x. > And we customized a lot, so I cannot simply upgrade to 10.04.02. > > I check the trunk and tag, and it looks like there was lots of changes > b/w 10.04(1060844) and 10.04.02(1326267). So I'm not sure which part I > need to take a look to make sure my version is secured. > > Can you give me an idea how I can check my version? > > Thank you for reading. > > Soon-won > > > On Sun, Apr 15, 2012 at 9:33 AM, Jacopo Cappellato <[email protected]> wrote: >> CVE-2012-1621: Apache OFBiz information disclosure vulnerability >> >> Severity: Important >> >> Vendor: >> The Apache Software Foundation - Apache OFBiz >> >> ======Versions Affected====== >> >> Apache OFBiz 10.04 (also known as 10.04.01) >> >> ======Description====== >> >> Multiple XSS: >> >> XSS 1: >> Error messages containing user input returned via ajax requests >> weren't being escaped >> >> XSS 2: >> Parameter arrays (converted to Lists by OFBiz) weren't being >> auto-encoded in freemarker templates. An attacker could send multiple >> parameters sharing the same name where only a single value was >> expected, because the value was a List instead of a String rendering >> the parameter in freemarker via ${parameter} would bypass OFBiz's >> automatic html encoding. >> >> XSS 3: >> Requests that used the cms event were susceptible to XSS attacks via >> the contentId and mapKey parameters because if the content was found >> to be missing an unencoded error message containing the supplied >> values was being streamed to the browser. >> >> XSS 4: >> Requests that used the experimental Webslinger component were susceptible to >> XSS attacks >> >> ====== Mitigation====== >> >> 10.04 users should upgrade to 10.04.02 >> >> ======Credit====== >> >> These issues were discovered by Matias Madou ([email protected]) of Fortify/HP >> Security Research Group
