OFBiz › OFBiz - Dev

[jira] Created: (OFBIZ-2121) XSS vulnerability in eCommerce/ordermgr

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

2 messages Options

Nicolas Malin (Jira)

[jira] Created: (OFBIZ-2121) XSS vulnerability in eCommerce/ordermgr

XSS vulnerability in eCommerce/ordermgr
---------------------------------------

Key: OFBIZ-2121
URL: https://issues.apache.org/jira/browse/OFBIZ-2121
Project: OFBiz
Issue Type: Bug
Components: order
Affects Versions: SVN trunk
Reporter: Philipp Hoppen

Any HTML/Javascript that is placed within the fields "shipping_instructions" or "gift_message" (possibly other fields too) when making a new order in eCommerce is executed in the ordermgr module when the order is displayed. For example, using this HTML code

<iframe
src="http://ofbiz.apache.org/"
style="position:absolute;
top:0;left:0; border:0px
#FFFFFF none;" name="myframe"
marginheight="0px"
marginwidth="0px" height="768"
width="1024"></iframe>

an iframe is displayed with the OFBiz project home page. Now suppose the iframe actually displays a faked OFBiz login page or anything like this (the possibilities are endless...).

Is there any reason why the FTL escape directives are not used (in this case in orderheader.ftl) to encode content properly using for example something like this:

<#escape x as x?html>
First name: ${firstName}
Last name: ${lastName}
Maiden name: ${maidenName}
</#escape>

(See http://freemarker.org/docs/ref_directive_escape.html for details)

I know there were some other Jira issues about similar problems, but I didn't see any current effort to fix these things.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Nicolas Malin (Jira)

[jira] Closed: (OFBIZ-2121) XSS vulnerability in eCommerce/ordermgr

[ https://issues.apache.org/jira/browse/OFBIZ-2121?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Adrian Crum closed OFBIZ-2121.
------------------------------

Resolution: Duplicate

If anyone has anything to contribute, they can contribute it using one of the existing Jira issues.

> XSS vulnerability in eCommerce/ordermgr
> ---------------------------------------
>
> Key: OFBIZ-2121
> URL: https://issues.apache.org/jira/browse/OFBIZ-2121
> Project: OFBiz
> Issue Type: Bug
> Components: order
> Affects Versions: SVN trunk
> Reporter: Philipp Hoppen
>
> Any HTML/Javascript that is placed within the fields "shipping_instructions" or "gift_message" (possibly other fields too) when making a new order in eCommerce is executed in the ordermgr module when the order is displayed. For example, using this HTML code
> <iframe
> src="http://ofbiz.apache.org/"
> style="position:absolute;
> top:0;left:0; border:0px
> #FFFFFF none;" name="myframe"
> marginheight="0px"
> marginwidth="0px" height="768"
> width="1024"></iframe>
> an iframe is displayed with the OFBiz project home page. Now suppose the iframe actually displays a faked OFBiz login page or anything like this (the possibilities are endless...).
> Is there any reason why the FTL escape directives are not used (in this case in orderheader.ftl) to encode content properly using for example something like this:
> <#escape x as x?html>
> First name: ${firstName}
> Last name: ${lastName}
> Maiden name: ${maidenName}
> </#escape>
> (See http://freemarker.org/docs/ref_directive_escape.html for details)
> I know there were some other Jira issues about similar problems, but I didn't see any current effort to fix these things.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.