[jira] Created: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[jira] Created: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)

Nicolas Malin (Jira)
Password visible in URL query string & hidden parameter (pre/post auth)
-----------------------------------------------------------------------

                 Key: OFBIZ-2194
                 URL: https://issues.apache.org/jira/browse/OFBIZ-2194
             Project: OFBiz
          Issue Type: Bug
          Components: ecommerce
    Affects Versions: SVN trunk
            Reporter: Michele Orru
             Fix For: SVN trunk


When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):

--- REQUEST ---
POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
Host: localhost:8443
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf


--- RESPONSE ---

[...]
<div id="ecom-header-bar">
    <ul id="left-links">
            <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
        <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
        <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
    </ul>
    <ul id="right-links">
        <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
        <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
        <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
        <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
        <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping&nbsp;Lists</a></li>
        <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order&nbsp;History</a></li>
    </ul>
</div>
[...]


Now, that's not son bad: basically is not an exploitable issue.
The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.

--- REQUEST ---

POST /ecommerce/control/login HTTP/1.1
Host: localhost:8443
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://localhost:8443/ecommerce/control/login
Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
Content-Type: application/x-www-form-urlencoded
Content-Length: 41

USERNAME=euronymous&PASSWORD=euronymous666



--- RESPONSE ---
[...]
<div class="screenlet">
    <div class="screenlet-header">
        <div class="boxhead">Mini-Poll Poll</div>
    </div>
    <div class="screenlet-body">
        <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
         
    <input type="hidden" name="PASSWORD" value="euronymous666"/>
    <input type="hidden" name="USERNAME" value="euronymous"/>


  <input type="hidden" name="partyId" value="10010"/>

<input type="hidden" name="surveyId" value="1003"/>
[...]

Have fun

Michele Orrù

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674406#action_12674406 ]

David E. Jones commented on OFBIZ-2194:
---------------------------------------

Thanks for reporting this Michele.

Which revision of OFBiz are you testing this on?

This was a known problem (form fields ending up in the URL for post-login use, including login form fields if you click on things in the right order) that was fixed about two weeks ago as part of my rewriting some of the messy parts of the RequestHandler (part of the ControlServlet) and the parameter handling for post-login forwarding (which is now done as actual forwarding).

Could you test this with the latest trunk? The issue should be resolved...

> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
>                 Key: OFBIZ-2194
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2194
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: SVN trunk
>            Reporter: Michele Orru
>             Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
>     <ul id="left-links">
>             <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
>         <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
>         <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
>     </ul>
>     <ul id="right-links">
>         <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
>         <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
>         <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
>         <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
>         <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping&nbsp;Lists</a></li>
>         <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order&nbsp;History</a></li>
>     </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
>     <div class="screenlet-header">
>         <div class="boxhead">Mini-Poll Poll</div>
>     </div>
>     <div class="screenlet-body">
>         <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>          
>     <input type="hidden" name="PASSWORD" value="euronymous666"/>
>     <input type="hidden" name="USERNAME" value="euronymous"/>
>   <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele Orrù

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Issue Comment Edited: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674546#action_12674546 ]

euronymous edited comment on OFBIZ-2194 at 2/18/09 1:29 AM:
--------------------------------------------------------------

Hi David

Yes you're right. I'm sorry but I was pen testing a not-so-updated trunk version, prior to your changes with ESAPI integration.

The issue has been correctly fixed. Sorry to "spam" (anyway I did'n find anything relating in jira, so credits are mine ahahaha..joke)


All The Best David

Michele

      was (Author: euronymous):
    Hi David

Yes you're right. I'm sorry but I was pen testing a not-so-updated trunk version, prior to your changes with ESAPOI integration.

The issue has been correctly fixed. Sorry to "spam" (anyway I did'n find anything relating in jira, so credits are mine ahahaha..joke)


All The Best David

Michele
 

> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
>                 Key: OFBIZ-2194
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2194
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: SVN trunk
>            Reporter: Michele Orru
>             Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
>     <ul id="left-links">
>             <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
>         <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
>         <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
>     </ul>
>     <ul id="right-links">
>         <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
>         <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
>         <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
>         <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
>         <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping&nbsp;Lists</a></li>
>         <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order&nbsp;History</a></li>
>     </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
>     <div class="screenlet-header">
>         <div class="boxhead">Mini-Poll Poll</div>
>     </div>
>     <div class="screenlet-body">
>         <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>          
>     <input type="hidden" name="PASSWORD" value="euronymous666"/>
>     <input type="hidden" name="USERNAME" value="euronymous"/>
>   <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele Orrù

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674546#action_12674546 ]

Michele Orru commented on OFBIZ-2194:
-------------------------------------

Hi David

Yes you're right. I'm sorry but I was pen testing a not-so-updated trunk version, prior to your changes with ESAPOI integration.

The issue has been correctly fixed. Sorry to "spam" (anyway I did'n find anything relating in jira, so credits are mine ahahaha..joke)


All The Best David

Michele

> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
>                 Key: OFBIZ-2194
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2194
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: SVN trunk
>            Reporter: Michele Orru
>             Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
>     <ul id="left-links">
>             <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
>         <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
>         <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
>     </ul>
>     <ul id="right-links">
>         <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
>         <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
>         <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
>         <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
>         <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping&nbsp;Lists</a></li>
>         <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order&nbsp;History</a></li>
>     </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
>     <div class="screenlet-header">
>         <div class="boxhead">Mini-Poll Poll</div>
>     </div>
>     <div class="screenlet-body">
>         <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>          
>     <input type="hidden" name="PASSWORD" value="euronymous666"/>
>     <input type="hidden" name="USERNAME" value="euronymous"/>
>   <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele Orrù

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Resolved: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michele Orru resolved OFBIZ-2194.
---------------------------------

    Resolution: Fixed

Confirmed fixed in rev. 742352

> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
>                 Key: OFBIZ-2194
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2194
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: SVN trunk
>            Reporter: Michele Orru
>             Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
>     <ul id="left-links">
>             <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
>         <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
>         <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
>     </ul>
>     <ul id="right-links">
>         <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
>         <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
>         <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
>         <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
>         <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping&nbsp;Lists</a></li>
>         <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order&nbsp;History</a></li>
>     </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
>     <div class="screenlet-header">
>         <div class="boxhead">Mini-Poll Poll</div>
>     </div>
>     <div class="screenlet-body">
>         <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>          
>     <input type="hidden" name="PASSWORD" value="euronymous666"/>
>     <input type="hidden" name="USERNAME" value="euronymous"/>
>   <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele Orrù

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Issue Comment Edited: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674547#action_12674547 ]

euronymous edited comment on OFBIZ-2194 at 2/18/09 1:35 AM:
--------------------------------------------------------------

Confirmed fixed in rev. 742352

Credits to David E. Jones (not to me :) )

      was (Author: euronymous):
    Confirmed fixed in rev. 742352
 

> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
>                 Key: OFBIZ-2194
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2194
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: SVN trunk
>            Reporter: Michele Orru
>             Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
>     <ul id="left-links">
>             <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
>         <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
>         <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
>     </ul>
>     <ul id="right-links">
>         <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
>         <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
>         <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
>         <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
>         <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping&nbsp;Lists</a></li>
>         <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order&nbsp;History</a></li>
>     </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
>     <div class="screenlet-header">
>         <div class="boxhead">Mini-Poll Poll</div>
>     </div>
>     <div class="screenlet-body">
>         <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>          
>     <input type="hidden" name="PASSWORD" value="euronymous666"/>
>     <input type="hidden" name="USERNAME" value="euronymous"/>
>   <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele Orrù

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Closed: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-2194.
----------------------------------

    Assignee: David E. Jones

> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
>                 Key: OFBIZ-2194
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2194
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: SVN trunk
>            Reporter: Michele Orru
>            Assignee: David E. Jones
>             Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
>     <ul id="left-links">
>             <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
>         <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
>         <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
>     </ul>
>     <ul id="right-links">
>         <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
>         <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
>         <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
>         <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
>         <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping&nbsp;Lists</a></li>
>         <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order&nbsp;History</a></li>
>     </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
>     <div class="screenlet-header">
>         <div class="boxhead">Mini-Poll Poll</div>
>     </div>
>     <div class="screenlet-body">
>         <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>          
>     <input type="hidden" name="PASSWORD" value="euronymous666"/>
>     <input type="hidden" name="USERNAME" value="euronymous"/>
>   <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele Orrù

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.