[CVE-2012-1621] Apache OFBiz information disclosure vulnerability

> CVE-2012-1621: Apache OFBiz information disclosure vulnerability
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation - Apache OFBiz
>
> ======Versions Affected======
>
> Apache OFBiz 10.04 (also known as 10.04.01)
>
> ======Description======
>
> Multiple XSS:
>
> XSS 1:
> Error messages containing user input returned via ajax requests
> weren't being escaped
>
> XSS 2:
> Parameter arrays (converted to Lists by OFBiz) weren't being
> auto-encoded in freemarker templates.  An attacker could send multiple
> parameters sharing the same name where only a single value was
> expected, because the value was a List instead of a String rendering
> the parameter in freemarker via ${parameter} would bypass OFBiz's
> automatic html encoding.
>
> XSS 3:
> Requests that used the cms event were susceptible to XSS attacks via
> the contentId and mapKey parameters because if the content was found
> to be missing an unencoded error message containing the supplied
> values was being streamed to the browser.
>
> XSS 4:
> Requests that used the experimental Webslinger component were susceptible to XSS attacks
>
> ====== Mitigation======
>
> 10.04 users should upgrade to 10.04.02
>
> ======Credit======
>
> These issues were discovered by Matias Madou ([hidden email]) of Fortify/HP Security Research Group

> Good afternoon guys!
>
> Do you know how I can make sure that I'm using non-vulnerable version?
>
> According to this email, I need to upgrade from ofbiz 10.04 to
> 10.04.02. But I'm using the optimized version which have been derived
> from Ofbiz 9.x.
> And we customized a lot, so I cannot simply upgrade to 10.04.02.
>
> I check the trunk and tag, and it looks like there was lots of changes
> b/w 10.04(1060844) and 10.04.02(1326267). So I'm not sure which part I
> need to take a look to make sure my version is secured.
>
> Can you give me an idea how I can check my version?
>
> Thank you for reading.
>
> Soon-won
>
>
> On Sun, Apr 15, 2012 at 9:33 AM, Jacopo Cappellato <[hidden email]> wrote:
>> CVE-2012-1621: Apache OFBiz information disclosure vulnerability
>>
>> Severity: Important
>>
>> Vendor:
>> The Apache Software Foundation - Apache OFBiz
>>
>> ======Versions Affected======
>>
>> Apache OFBiz 10.04 (also known as 10.04.01)
>>
>> ======Description======
>>
>> Multiple XSS:
>>
>> XSS 1:
>> Error messages containing user input returned via ajax requests
>> weren't being escaped
>>
>> XSS 2:
>> Parameter arrays (converted to Lists by OFBiz) weren't being
>> auto-encoded in freemarker templates.  An attacker could send multiple
>> parameters sharing the same name where only a single value was
>> expected, because the value was a List instead of a String rendering
>> the parameter in freemarker via ${parameter} would bypass OFBiz's
>> automatic html encoding.
>>
>> XSS 3:
>> Requests that used the cms event were susceptible to XSS attacks via
>> the contentId and mapKey parameters because if the content was found
>> to be missing an unencoded error message containing the supplied
>> values was being streamed to the browser.
>>
>> XSS 4:
>> Requests that used the experimental Webslinger component were susceptible to XSS attacks
>>
>> ====== Mitigation======
>>
>> 10.04 users should upgrade to 10.04.02
>>
>> ======Credit======
>>
>> These issues were discovered by Matias Madou ([hidden email]) of Fortify/HP Security Research Group