[jira] Created: (OFBIZ-1193) html code is not sanitized in all the text input field

html code is not sanitized in all the text input field
------------------------------------------------------

                 Key: OFBIZ-1193
                 URL: https://issues.apache.org/jira/browse/OFBIZ-1193
             Project: OFBiz
          Issue Type: Bug
    Affects Versions: SVN trunk
         Environment: any environment
            Reporter: Vikrant Rathore
            Priority: Blocker


This a very critical bug in ofbiz you can put in any html text including script or iframe tags in the input field for address update or customer name update i.e. any text field in ofbiz.

Its a major security issue for all the ofbiz installation since the text in the input text field is not sanitized.

below is small source code of the page where a script  in the demo store for DemoCustomer profile which just pops up an alert box.

<tr>
      <td width="26%" align="right" valign="top"><div class="tabletext">Address Line 1</div></td>
      <td width="5">&nbsp;</td>
      <td width="74%">
        <input type="text" class='inputBox' size="30" maxlength="30" name="address1" value=""/><script>alert("a")</script>">
      *</td>

    </tr>
    <tr>
Along with this attached the screenshot you can try the demo on ofbiz ecommerce store on the ofbiz website and use DemoCustomer profile you will see the same screenshot.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vikrant Rathore updated OFBIZ-1193:
-----------------------------------

    Attachment: error screenshot.jpg

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacopo Cappellato updated OFBIZ-1193:
-------------------------------------

    Priority: Major  (was: Blocker)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518719 ]

Jacques Le Roux commented on OFBIZ-1193:
----------------------------------------

This (or something similar) has already been reported and discussed in other issues : OFBIZ-178 and OFBIZ-260. Nobody since then has proved any threats at the server level, or implemented a solution( some have been suggested)... This does not meant that we should not look at it, but I agree with Jacopo : it's not in any way a blocker !

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518892 ]

Vikrant Rathore commented on OFBIZ-1193:
----------------------------------------

 In view it should be placed as blocker since its one of the basic feature of any webapp to avoid script and dangerous html tags along with XSS. Indeed every CMS does sanitize html so the same should be done for this webapp.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518895 ]

Wickersheimer Jeremy commented on OFBIZ-1193:
---------------------------------------------

> Nobody since then has proved any threats at the server level,

What do you mean ?
I can steal the session cookie and log as admin (for example),i would say it IS a threat.

I did not look too much into it (cookie stealing is the easiest),i guess i could do CSRF too, maybe some funny DOM manipulation, stealing customers data, and so on ...

It should be top priority because i am not sure businesses would choose an ERP with XSS.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518898 ]

David E. Jones commented on OFBIZ-1193:
---------------------------------------

Are either of you up for helping with this?

The first step would be to create some error scenarios that are problems right now, and then when the fix is in place we can see them fixed.

So, the first goal as I see it is to write up 2-3 manual processes for actual security vulnerabilities.

I'm really interested in seeing these because all you can do with script injection is make the browser do things. The way OFBiz is designed all security and validation is done on the server, even if it is also done on the client.

The only way I can think of you could do session hijacking is to have access to a browser and admin user has used and is still logged into, or by sniffing packets over the network.

Of course, I'm not a security expert and haven't had the pleasure of researching these things in detail. So yeah, specific scenarios we can work toward would be great and/or necessary to make progress on this.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518901 ]

Wickersheimer Jeremy commented on OFBIZ-1193:
---------------------------------------------

>Are either of you up for helping with this?

At least I, will have to.

>So, the first goal as I see it is to write up 2-3 manual processes for actual security vulnerabilities.

The obvious first target is the ecommerce side, because you can inject script in the checkout process (shipping address, name, ...).

>The only way I can think of you could do session hijacking is to have access to a browser and admin user has used and is still logged into, or by sniffing packets over the network.

I just did. Injecting from ecommerce (see above). Then when any logged user display the script i get the JSESSIONID. That is all that is needed for me to enter the system as this user.

If i am lucky i get an account  that has access to the webtool, but that is no unlikely at all. Especially because it uses a different JSESSIONID (easy to detect) and because the script works when a user display the malicious data in the webtool !

After that i have unlimited access to all the data, and i could download all passwords hashes for example. If the hack wasn't detected at this point i could then remove the malicious code and brute force the passwords (which not diffcult since the hash are not salted (see another OFBIZ issue i opened)).


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518915 ]

Wickersheimer Jeremy commented on OFBIZ-1193:
---------------------------------------------

For those who will want a work-around, disabling javascript on the ERP side would prevent leaking authenticated sessions.

Then it should be possible to prevent leaked session to be usable by:

- checking the request parameters for suspicious changes :
     different user-agent
     different ip address (can cause issue with some setup using Proxy, fooled by NAT)
     external referer

- regenerating sessions for each request (also prevents session fixation)
     the client is given a new JSESSIONID for each request which is then only valid for the next request, if the session id is intercepted it must be used before the client make another request (note that this is still possible)
     
Of course these measures can still be fooled easily

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518942 ]

Vikrant Rathore commented on OFBIZ-1193:
----------------------------------------

Lets work as we discussed try to remove all the html from text box input, in general we do not need html for address or text fields except text areas where we need to sanitize the html.

Probably submit the patch to the community if they accept.

In my view no company would accept ecommerce and backend application which can allow hijacking of client computers (specially the operator using the system in the backend) which may lead to an access to their backend systems.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518947 ]

David E. Jones commented on OFBIZ-1193:
---------------------------------------

How about the idea of filtering output, and especially focusing on removing script tags and related attributes and the like.

I mention this because there are many ways data can get into the system aside from just the web applications (integrations, migrated data, content feeds, etc).

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518953 ]

Wickersheimer Jeremy commented on OFBIZ-1193:
---------------------------------------------

Filtering is not trivial, especially i don't know how to implement it in Ofbiz to cover everything.

So far i found that a simple patch to the simpleMethod map processor Copy.java could sanitize most of the input string.
Just one line of code calling StringUtil.htmlSpecialChars

Of course there are a few cases where we went HTML, for this i could add a parameter in the xml Copy tag to tell it not to sanitize.

Monday i will see which input values are left out by this.

PS: I also a related issue in LoginWorker.makeLoginUrl, the method doesn't escape the parameters value ...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-1193:
-----------------------------------

    Priority: Critical  (was: Major)

As it seems that more people are interested by this task, I set it as critical.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-1193:
-----------------------------------

    Issue Type: Improvement  (was: Bug)

Also this is not a bug, but an improvement waiting for good wills..

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12519853 ]

Wickersheimer Jeremy commented on OFBIZ-1193:
---------------------------------------------

Filtering the output is indeed what need to be done, but it should be done globally:
 - patch ALL ftl files to use ?html for direct user input (request parameters) and database output
 - patch the framework to escape those inputs when generating HTML

Also, same issue with Javascript output, (in freemarker we should use ?js_string).

This should be added to the developer documentation (best practice)

I would like to see some Input from the Framework developers too as to how we can do it properly and thoughtfully  .

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Wickersheimer Jeremy updated OFBIZ-1193:
----------------------------------------

    Attachment: ofbiz-1193-messages_ftl.patch

Example that escapes HTML from error messages and event messages.
This prevents the HTML to break badly when user input is displayed in the message.

I do not know if this specific case is exploitable (i think it is, just not easily) but it is just an example.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12519860 ]

Wickersheimer Jeremy commented on OFBIZ-1193:
---------------------------------------------

Another remark is that Freemarker already has static methods to escape HTML, Javascript , Java, ... so maybe we could use there code  in the framework as well ?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12519863 ]

Jacopo Cappellato commented on OFBIZ-1193:
------------------------------------------

Jeremy,

in my opinion the best way to globally fix ALL the screen in the backend applications is:

1) push forward the effort of migrating the bsh/ftl to widgets
2) when this is done, add code to the form widget class (i.e. in a central place) to check the html in the form: this will have a global effect on all the screens
3) manually fix the (hopefully) few ftl files that cannot be migrated to the widgets




--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12519881 ]

Adrian Crum commented on OFBIZ-1193:
------------------------------------

Jacopo,

There is still a lot of screen rendering done in ftl. I'm not sure that will go away completely. Maybe we can look at a way to fix the ftl problem globally.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Wickersheimer Jeremy updated OFBIZ-1193:
----------------------------------------

    Attachment: ofbiz-1193-webtools_entity.patch

This patch escape HTML and Javascript in the Webtools Entity viewer / finder.

PS: The entity editor is a bit broken in SVN (problem of javascript / css / layout)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.