[jira] Created: (OFBIZ-1193) html code is not sanitized in all the text input field
Locked
12
12
[jira] Updated: (OFBIZ-1193) html code is not sanitized in all the text input field
 
|
[ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wickersheimer Jeremy updated OFBIZ-1193: ---------------------------------------- Attachment: ofbiz-1193-logins.patch Patch the common and ecommerce login and password change pages. > html code is not sanitized in all the text input field > ------------------------------------------------------ > > Key: OFBIZ-1193 > URL: https://issues.apache.org/jira/browse/OFBIZ-1193 > Project: OFBiz > Issue Type: Improvement > Affects Versions: SVN trunk > Environment: any environment > Reporter: Vikrant Rathore > Priority: Critical > Attachments: error screenshot.jpg, ofbiz-1193-logins.patch, ofbiz-1193-messages_ftl.patch, ofbiz-1193-webtools_entity.patch > > > This a very critical bug in ofbiz you can put in any html text including script or iframe tags in the input field for address update or customer name update i.e. any text field in ofbiz. > Its a major security issue for all the ofbiz installation since the text in the input text field is not sanitized. > below is small source code of the page where a script in the demo store for DemoCustomer profile which just pops up an alert box. > <tr> > <td width="26%" align="right" valign="top"><div class="tabletext">Address Line 1</div></td> > <td width="5"> </td> > <td width="74%"> > <input type="text" class='inputBox' size="30" maxlength="30" name="address1" value=""/><script>alert("a")</script>"> > *</td> > </tr> > <tr> > Along with this attached the screenshot you can try the demo on ofbiz ecommerce store on the ofbiz website and use DemoCustomer profile you will see the same screenshot. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Updated: (OFBIZ-1193) html code is not sanitized in all the text input field
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacopo Cappellato updated OFBIZ-1193: ------------------------------------- Priority: Major (was: Critical) I'm adjusting again the priority from critical to major... in most installations the manager applications are not publicly accessible from the outside and I'm still not 100% sure that this can be really exploited to do real damage (not only open a popup windows)... but beat me if I am wrong. > html code is not sanitized in all the text input field > ------------------------------------------------------ > > Key: OFBIZ-1193 > URL: https://issues.apache.org/jira/browse/OFBIZ-1193 > Project: OFBiz > Issue Type: Improvement > Affects Versions: SVN trunk > Environment: any environment > Reporter: Vikrant Rathore > Attachments: error screenshot.jpg, ofbiz-1193-logins.patch, ofbiz-1193-messages_ftl.patch, ofbiz-1193-webtools_entity.patch > > > This a very critical bug in ofbiz you can put in any html text including script or iframe tags in the input field for address update or customer name update i.e. any text field in ofbiz. > Its a major security issue for all the ofbiz installation since the text in the input text field is not sanitized. > below is small source code of the page where a script in the demo store for DemoCustomer profile which just pops up an alert box. > <tr> > <td width="26%" align="right" valign="top"><div class="tabletext">Address Line 1</div></td> > <td width="5"> </td> > <td width="74%"> > <input type="text" class='inputBox' size="30" maxlength="30" name="address1" value=""/><script>alert("a")</script>"> > *</td> > </tr> > <tr> > Along with this attached the screenshot you can try the demo on ofbiz ecommerce store on the ofbiz website and use DemoCustomer profile you will see the same screenshot. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-1193) html code is not sanitized in all the text input field
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12521330 ] Wickersheimer Jeremy commented on OFBIZ-1193: --------------------------------------------- Then beat yousrelf for me. It can be used to propagate viruses (since it can make the victim browser download whatever content). For the real "steal all my data" cracking, I will just refer to the bad guys endless imagination ... > html code is not sanitized in all the text input field > ------------------------------------------------------ > > Key: OFBIZ-1193 > URL: https://issues.apache.org/jira/browse/OFBIZ-1193 > Project: OFBiz > Issue Type: Improvement > Affects Versions: SVN trunk > Environment: any environment > Reporter: Vikrant Rathore > Attachments: error screenshot.jpg, ofbiz-1193-logins.patch, ofbiz-1193-messages_ftl.patch, ofbiz-1193-webtools_entity.patch > > > This a very critical bug in ofbiz you can put in any html text including script or iframe tags in the input field for address update or customer name update i.e. any text field in ofbiz. > Its a major security issue for all the ofbiz installation since the text in the input text field is not sanitized. > below is small source code of the page where a script in the demo store for DemoCustomer profile which just pops up an alert box. > <tr> > <td width="26%" align="right" valign="top"><div class="tabletext">Address Line 1</div></td> > <td width="5"> </td> > <td width="74%"> > <input type="text" class='inputBox' size="30" maxlength="30" name="address1" value=""/><script>alert("a")</script>"> > *</td> > </tr> > <tr> > Along with this attached the screenshot you can try the demo on ofbiz ecommerce store on the ofbiz website and use DemoCustomer profile you will see the same screenshot. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-1193) html code is not sanitized in all the text input field
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12547616 ] BJ Freeman commented on OFBIZ-1193: ----------------------------------- as many times as this issue has been brought up, there should be some work on it. and it should be ver 4.0 as well since there was a consensus about security. > html code is not sanitized in all the text input field > ------------------------------------------------------ > > Key: OFBIZ-1193 > URL: https://issues.apache.org/jira/browse/OFBIZ-1193 > Project: OFBiz > Issue Type: Improvement > Affects Versions: SVN trunk > Environment: any environment > Reporter: Vikrant Rathore > Attachments: error screenshot.jpg, ofbiz-1193-logins.patch, ofbiz-1193-messages_ftl.patch, ofbiz-1193-webtools_entity.patch > > > This a very critical bug in ofbiz you can put in any html text including script or iframe tags in the input field for address update or customer name update i.e. any text field in ofbiz. > Its a major security issue for all the ofbiz installation since the text in the input text field is not sanitized. > below is small source code of the page where a script in the demo store for DemoCustomer profile which just pops up an alert box. > <tr> > <td width="26%" align="right" valign="top"><div class="tabletext">Address Line 1</div></td> > <td width="5"> </td> > <td width="74%"> > <input type="text" class='inputBox' size="30" maxlength="30" name="address1" value=""/><script>alert("a")</script>"> > *</td> > </tr> > <tr> > Along with this attached the screenshot you can try the demo on ofbiz ecommerce store on the ofbiz website and use DemoCustomer profile you will see the same screenshot. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Updated: (OFBIZ-1193) html code is not sanitized in all the text input field
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Marco Risaliti updated OFBIZ-1193: ---------------------------------- Component/s: framework ecommerce Fix Version/s: SVN trunk > html code is not sanitized in all the text input field > ------------------------------------------------------ > > Key: OFBIZ-1193 > URL: https://issues.apache.org/jira/browse/OFBIZ-1193 > Project: OFBiz > Issue Type: Improvement > Components: ecommerce, framework > Affects Versions: SVN trunk > Environment: any environment > Reporter: Vikrant Rathore > Fix For: SVN trunk > > Attachments: error screenshot.jpg, ofbiz-1193-logins.patch, ofbiz-1193-messages_ftl.patch, ofbiz-1193-webtools_entity.patch > > > This a very critical bug in ofbiz you can put in any html text including script or iframe tags in the input field for address update or customer name update i.e. any text field in ofbiz. > Its a major security issue for all the ofbiz installation since the text in the input text field is not sanitized. > below is small source code of the page where a script in the demo store for DemoCustomer profile which just pops up an alert box. > <tr> > <td width="26%" align="right" valign="top"><div class="tabletext">Address Line 1</div></td> > <td width="5"> </td> > <td width="74%"> > <input type="text" class='inputBox' size="30" maxlength="30" name="address1" value=""/><script>alert("a")</script>"> > *</td> > </tr> > <tr> > Along with this attached the screenshot you can try the demo on ofbiz ecommerce store on the ofbiz website and use DemoCustomer profile you will see the same screenshot. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Closed: (OFBIZ-1193) html code is not sanitized in all the text input field
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-1193. ---------------------------------- Resolution: Fixed Assignee: David E. Jones Fixed by recent security efforts > html code is not sanitized in all the text input field > ------------------------------------------------------ > > Key: OFBIZ-1193 > URL: https://issues.apache.org/jira/browse/OFBIZ-1193 > Project: OFBiz > Issue Type: Improvement > Components: ecommerce, framework > Affects Versions: SVN trunk > Environment: any environment > Reporter: Vikrant Rathore > Assignee: David E. Jones > Fix For: SVN trunk > > Attachments: error screenshot.jpg, ofbiz-1193-logins.patch, ofbiz-1193-messages_ftl.patch, ofbiz-1193-webtools_entity.patch > > > This a very critical bug in ofbiz you can put in any html text including script or iframe tags in the input field for address update or customer name update i.e. any text field in ofbiz. > Its a major security issue for all the ofbiz installation since the text in the input text field is not sanitized. > below is small source code of the page where a script in the demo store for DemoCustomer profile which just pops up an alert box. > <tr> > <td width="26%" align="right" valign="top"><div class="tabletext">Address Line 1</div></td> > <td width="5"> </td> > <td width="74%"> > <input type="text" class='inputBox' size="30" maxlength="30" name="address1" value=""/><script>alert("a")</script>"> > *</td> > </tr> > <tr> > Along with this attached the screenshot you can try the demo on ofbiz ecommerce store on the ofbiz website and use DemoCustomer profile you will see the same screenshot. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |