CVE-2012-1621: Apache OFBiz information disclosure vulnerability
Severity: Important Vendor: The Apache Software Foundation - Apache OFBiz ======Versions Affected====== Apache OFBiz 10.04 (also known as 10.04.01) ======Description====== Multiple XSS: XSS 1: Error messages containing user input returned via ajax requests weren't being escaped XSS 2: Parameter arrays (converted to Lists by OFBiz) weren't being auto-encoded in freemarker templates. An attacker could send multiple parameters sharing the same name where only a single value was expected, because the value was a List instead of a String rendering the parameter in freemarker via ${parameter} would bypass OFBiz's automatic html encoding. XSS 3: Requests that used the cms event were susceptible to XSS attacks via the contentId and mapKey parameters because if the content was found to be missing an unencoded error message containing the supplied values was being streamed to the browser. XSS 4: Requests that used the experimental Webslinger component were susceptible to XSS attacks ====== Mitigation====== 10.04 users should upgrade to 10.04.02 ======Credit====== These issues were discovered by Matias Madou ([hidden email]) of Fortify/HP Security Research Group signature.asc (858 bytes) Download Attachment |
Good afternoon guys!
Do you know how I can make sure that I'm using non-vulnerable version? According to this email, I need to upgrade from ofbiz 10.04 to 10.04.02. But I'm using the optimized version which have been derived from Ofbiz 9.x. And we customized a lot, so I cannot simply upgrade to 10.04.02. I check the trunk and tag, and it looks like there was lots of changes b/w 10.04(1060844) and 10.04.02(1326267). So I'm not sure which part I need to take a look to make sure my version is secured. Can you give me an idea how I can check my version? Thank you for reading. Soon-won On Sun, Apr 15, 2012 at 9:33 AM, Jacopo Cappellato <[hidden email]> wrote: > CVE-2012-1621: Apache OFBiz information disclosure vulnerability > > Severity: Important > > Vendor: > The Apache Software Foundation - Apache OFBiz > > ======Versions Affected====== > > Apache OFBiz 10.04 (also known as 10.04.01) > > ======Description====== > > Multiple XSS: > > XSS 1: > Error messages containing user input returned via ajax requests > weren't being escaped > > XSS 2: > Parameter arrays (converted to Lists by OFBiz) weren't being > auto-encoded in freemarker templates. An attacker could send multiple > parameters sharing the same name where only a single value was > expected, because the value was a List instead of a String rendering > the parameter in freemarker via ${parameter} would bypass OFBiz's > automatic html encoding. > > XSS 3: > Requests that used the cms event were susceptible to XSS attacks via > the contentId and mapKey parameters because if the content was found > to be missing an unencoded error message containing the supplied > values was being streamed to the browser. > > XSS 4: > Requests that used the experimental Webslinger component were susceptible to XSS attacks > > ====== Mitigation====== > > 10.04 users should upgrade to 10.04.02 > > ======Credit====== > > These issues were discovered by Matias Madou ([hidden email]) of Fortify/HP Security Research Group |
The bugs have been reported on the 10.04 series and if you are running 09.04 you should not be affected; of course there are good reason to plan for the upgrade to 10.04 because the 09.04 is an old branch and, according with the current release plan, it is now closed:
http://ofbiz.apache.org/download.html Jacopo On May 23, 2012, at 9:25 PM, Soon Won Park wrote: > Good afternoon guys! > > Do you know how I can make sure that I'm using non-vulnerable version? > > According to this email, I need to upgrade from ofbiz 10.04 to > 10.04.02. But I'm using the optimized version which have been derived > from Ofbiz 9.x. > And we customized a lot, so I cannot simply upgrade to 10.04.02. > > I check the trunk and tag, and it looks like there was lots of changes > b/w 10.04(1060844) and 10.04.02(1326267). So I'm not sure which part I > need to take a look to make sure my version is secured. > > Can you give me an idea how I can check my version? > > Thank you for reading. > > Soon-won > > > On Sun, Apr 15, 2012 at 9:33 AM, Jacopo Cappellato <[hidden email]> wrote: >> CVE-2012-1621: Apache OFBiz information disclosure vulnerability >> >> Severity: Important >> >> Vendor: >> The Apache Software Foundation - Apache OFBiz >> >> ======Versions Affected====== >> >> Apache OFBiz 10.04 (also known as 10.04.01) >> >> ======Description====== >> >> Multiple XSS: >> >> XSS 1: >> Error messages containing user input returned via ajax requests >> weren't being escaped >> >> XSS 2: >> Parameter arrays (converted to Lists by OFBiz) weren't being >> auto-encoded in freemarker templates. An attacker could send multiple >> parameters sharing the same name where only a single value was >> expected, because the value was a List instead of a String rendering >> the parameter in freemarker via ${parameter} would bypass OFBiz's >> automatic html encoding. >> >> XSS 3: >> Requests that used the cms event were susceptible to XSS attacks via >> the contentId and mapKey parameters because if the content was found >> to be missing an unencoded error message containing the supplied >> values was being streamed to the browser. >> >> XSS 4: >> Requests that used the experimental Webslinger component were susceptible to XSS attacks >> >> ====== Mitigation====== >> >> 10.04 users should upgrade to 10.04.02 >> >> ======Credit====== >> >> These issues were discovered by Matias Madou ([hidden email]) of Fortify/HP Security Research Group |
Free forum by Nabble | Edit this page |