[jira] Created: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)
Locked
[jira] Created: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)
 
|
Password visible in URL query string & hidden parameter (pre/post auth)
----------------------------------------------------------------------- Key: OFBIZ-2194 URL: https://issues.apache.org/jira/browse/OFBIZ-2194 Project: OFBiz Issue Type: Bug Components: ecommerce Affects Versions: SVN trunk Reporter: Michele Orru Fix For: SVN trunk When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair, the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values): --- REQUEST --- POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1 Host: localhost:8443 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio Content-Type: application/x-www-form-urlencoded Content-Length: 44 USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf --- RESPONSE --- [...] <div id="ecom-header-bar"> <ul id="left-links"> <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li> <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li> <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li> </ul> <ul id="right-links"> <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right --> <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li> <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li> <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li> <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li> <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li> </ul> </div> [...] Now, that's not son bad: basically is not an exploitable issue. The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application. --- REQUEST --- POST /ecommerce/control/login HTTP/1.1 Host: localhost:8443 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://localhost:8443/ecommerce/control/login Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous Content-Type: application/x-www-form-urlencoded Content-Length: 41 USERNAME=euronymous&PASSWORD=euronymous666 --- RESPONSE --- [...] <div class="screenlet"> <div class="screenlet-header"> <div class="boxhead">Mini-Poll Poll</div> </div> <div class="screenlet-body"> <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;"> <input type="hidden" name="PASSWORD" value="euronymous666"/> <input type="hidden" name="USERNAME" value="euronymous"/> <input type="hidden" name="partyId" value="10010"/> <input type="hidden" name="surveyId" value="1003"/> [...] Have fun Michele Orrù -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)
|
|
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674406#action_12674406 ] David E. Jones commented on OFBIZ-2194: --------------------------------------- Thanks for reporting this Michele. Which revision of OFBiz are you testing this on? This was a known problem (form fields ending up in the URL for post-login use, including login form fields if you click on things in the right order) that was fixed about two weeks ago as part of my rewriting some of the messy parts of the RequestHandler (part of the ControlServlet) and the parameter handling for post-login forwarding (which is now done as actual forwarding). Could you test this with the latest trunk? The issue should be resolved... > Password visible in URL query string & hidden parameter (pre/post auth) > ----------------------------------------------------------------------- > > Key: OFBIZ-2194 > URL: https://issues.apache.org/jira/browse/OFBIZ-2194 > Project: OFBiz > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Michele Orru > Fix For: SVN trunk > > > When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair, > the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values): > --- REQUEST --- > POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1 > Host: localhost:8443 > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS > Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio > Content-Type: application/x-www-form-urlencoded > Content-Length: 44 > USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf > --- RESPONSE --- > [...] > <div id="ecom-header-bar"> > <ul id="left-links"> > <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li> > <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li> > <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li> > </ul> > <ul id="right-links"> > <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right --> > <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li> > <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li> > <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li> > <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li> > <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li> > </ul> > </div> > [...] > Now, that's not son bad: basically is not an exploitable issue. > The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application. > --- REQUEST --- > POST /ecommerce/control/login HTTP/1.1 > Host: localhost:8443 > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://localhost:8443/ecommerce/control/login > Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous > Content-Type: application/x-www-form-urlencoded > Content-Length: 41 > USERNAME=euronymous&PASSWORD=euronymous666 > --- RESPONSE --- > [...] > <div class="screenlet"> > <div class="screenlet-header"> > <div class="boxhead">Mini-Poll Poll</div> > </div> > <div class="screenlet-body"> > <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;"> > > <input type="hidden" name="PASSWORD" value="euronymous666"/> > <input type="hidden" name="USERNAME" value="euronymous"/> > <input type="hidden" name="partyId" value="10010"/> > <input type="hidden" name="surveyId" value="1003"/> > [...] > Have fun > Michele Orrù -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Issue Comment Edited: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674546#action_12674546 ] euronymous edited comment on OFBIZ-2194 at 2/18/09 1:29 AM: -------------------------------------------------------------- Hi David Yes you're right. I'm sorry but I was pen testing a not-so-updated trunk version, prior to your changes with ESAPI integration. The issue has been correctly fixed. Sorry to "spam" (anyway I did'n find anything relating in jira, so credits are mine ahahaha..joke) All The Best David Michele was (Author: euronymous): Hi David Yes you're right. I'm sorry but I was pen testing a not-so-updated trunk version, prior to your changes with ESAPOI integration. The issue has been correctly fixed. Sorry to "spam" (anyway I did'n find anything relating in jira, so credits are mine ahahaha..joke) All The Best David Michele > Password visible in URL query string & hidden parameter (pre/post auth) > ----------------------------------------------------------------------- > > Key: OFBIZ-2194 > URL: https://issues.apache.org/jira/browse/OFBIZ-2194 > Project: OFBiz > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Michele Orru > Fix For: SVN trunk > > > When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair, > the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values): > --- REQUEST --- > POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1 > Host: localhost:8443 > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS > Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio > Content-Type: application/x-www-form-urlencoded > Content-Length: 44 > USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf > --- RESPONSE --- > [...] > <div id="ecom-header-bar"> > <ul id="left-links"> > <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li> > <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li> > <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li> > </ul> > <ul id="right-links"> > <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right --> > <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li> > <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li> > <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li> > <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li> > <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li> > </ul> > </div> > [...] > Now, that's not son bad: basically is not an exploitable issue. > The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application. > --- REQUEST --- > POST /ecommerce/control/login HTTP/1.1 > Host: localhost:8443 > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://localhost:8443/ecommerce/control/login > Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous > Content-Type: application/x-www-form-urlencoded > Content-Length: 41 > USERNAME=euronymous&PASSWORD=euronymous666 > --- RESPONSE --- > [...] > <div class="screenlet"> > <div class="screenlet-header"> > <div class="boxhead">Mini-Poll Poll</div> > </div> > <div class="screenlet-body"> > <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;"> > > <input type="hidden" name="PASSWORD" value="euronymous666"/> > <input type="hidden" name="USERNAME" value="euronymous"/> > <input type="hidden" name="partyId" value="10010"/> > <input type="hidden" name="surveyId" value="1003"/> > [...] > Have fun > Michele Orrù -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674546#action_12674546 ] Michele Orru commented on OFBIZ-2194: ------------------------------------- Hi David Yes you're right. I'm sorry but I was pen testing a not-so-updated trunk version, prior to your changes with ESAPOI integration. The issue has been correctly fixed. Sorry to "spam" (anyway I did'n find anything relating in jira, so credits are mine ahahaha..joke) All The Best David Michele > Password visible in URL query string & hidden parameter (pre/post auth) > ----------------------------------------------------------------------- > > Key: OFBIZ-2194 > URL: https://issues.apache.org/jira/browse/OFBIZ-2194 > Project: OFBiz > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Michele Orru > Fix For: SVN trunk > > > When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair, > the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values): > --- REQUEST --- > POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1 > Host: localhost:8443 > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS > Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio > Content-Type: application/x-www-form-urlencoded > Content-Length: 44 > USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf > --- RESPONSE --- > [...] > <div id="ecom-header-bar"> > <ul id="left-links"> > <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li> > <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li> > <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li> > </ul> > <ul id="right-links"> > <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right --> > <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li> > <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li> > <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li> > <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li> > <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li> > </ul> > </div> > [...] > Now, that's not son bad: basically is not an exploitable issue. > The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application. > --- REQUEST --- > POST /ecommerce/control/login HTTP/1.1 > Host: localhost:8443 > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://localhost:8443/ecommerce/control/login > Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous > Content-Type: application/x-www-form-urlencoded > Content-Length: 41 > USERNAME=euronymous&PASSWORD=euronymous666 > --- RESPONSE --- > [...] > <div class="screenlet"> > <div class="screenlet-header"> > <div class="boxhead">Mini-Poll Poll</div> > </div> > <div class="screenlet-body"> > <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;"> > > <input type="hidden" name="PASSWORD" value="euronymous666"/> > <input type="hidden" name="USERNAME" value="euronymous"/> > <input type="hidden" name="partyId" value="10010"/> > <input type="hidden" name="surveyId" value="1003"/> > [...] > Have fun > Michele Orrù -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Resolved: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michele Orru resolved OFBIZ-2194. --------------------------------- Resolution: Fixed Confirmed fixed in rev. 742352 > Password visible in URL query string & hidden parameter (pre/post auth) > ----------------------------------------------------------------------- > > Key: OFBIZ-2194 > URL: https://issues.apache.org/jira/browse/OFBIZ-2194 > Project: OFBiz > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Michele Orru > Fix For: SVN trunk > > > When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair, > the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values): > --- REQUEST --- > POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1 > Host: localhost:8443 > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS > Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio > Content-Type: application/x-www-form-urlencoded > Content-Length: 44 > USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf > --- RESPONSE --- > [...] > <div id="ecom-header-bar"> > <ul id="left-links"> > <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li> > <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li> > <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li> > </ul> > <ul id="right-links"> > <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right --> > <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li> > <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li> > <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li> > <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li> > <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li> > </ul> > </div> > [...] > Now, that's not son bad: basically is not an exploitable issue. > The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application. > --- REQUEST --- > POST /ecommerce/control/login HTTP/1.1 > Host: localhost:8443 > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://localhost:8443/ecommerce/control/login > Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous > Content-Type: application/x-www-form-urlencoded > Content-Length: 41 > USERNAME=euronymous&PASSWORD=euronymous666 > --- RESPONSE --- > [...] > <div class="screenlet"> > <div class="screenlet-header"> > <div class="boxhead">Mini-Poll Poll</div> > </div> > <div class="screenlet-body"> > <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;"> > > <input type="hidden" name="PASSWORD" value="euronymous666"/> > <input type="hidden" name="USERNAME" value="euronymous"/> > <input type="hidden" name="partyId" value="10010"/> > <input type="hidden" name="surveyId" value="1003"/> > [...] > Have fun > Michele Orrù -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Issue Comment Edited: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674547#action_12674547 ] euronymous edited comment on OFBIZ-2194 at 2/18/09 1:35 AM: -------------------------------------------------------------- Confirmed fixed in rev. 742352 Credits to David E. Jones (not to me :) ) was (Author: euronymous): Confirmed fixed in rev. 742352 > Password visible in URL query string & hidden parameter (pre/post auth) > ----------------------------------------------------------------------- > > Key: OFBIZ-2194 > URL: https://issues.apache.org/jira/browse/OFBIZ-2194 > Project: OFBiz > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Michele Orru > Fix For: SVN trunk > > > When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair, > the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values): > --- REQUEST --- > POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1 > Host: localhost:8443 > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS > Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio > Content-Type: application/x-www-form-urlencoded > Content-Length: 44 > USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf > --- RESPONSE --- > [...] > <div id="ecom-header-bar"> > <ul id="left-links"> > <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li> > <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li> > <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li> > </ul> > <ul id="right-links"> > <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right --> > <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li> > <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li> > <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li> > <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li> > <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li> > </ul> > </div> > [...] > Now, that's not son bad: basically is not an exploitable issue. > The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application. > --- REQUEST --- > POST /ecommerce/control/login HTTP/1.1 > Host: localhost:8443 > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://localhost:8443/ecommerce/control/login > Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous > Content-Type: application/x-www-form-urlencoded > Content-Length: 41 > USERNAME=euronymous&PASSWORD=euronymous666 > --- RESPONSE --- > [...] > <div class="screenlet"> > <div class="screenlet-header"> > <div class="boxhead">Mini-Poll Poll</div> > </div> > <div class="screenlet-body"> > <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;"> > > <input type="hidden" name="PASSWORD" value="euronymous666"/> > <input type="hidden" name="USERNAME" value="euronymous"/> > <input type="hidden" name="partyId" value="10010"/> > <input type="hidden" name="surveyId" value="1003"/> > [...] > Have fun > Michele Orrù -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Closed: (OFBIZ-2194) Password visible in URL query string & hidden parameter (pre/post auth)
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-2194. ---------------------------------- Assignee: David E. Jones > Password visible in URL query string & hidden parameter (pre/post auth) > ----------------------------------------------------------------------- > > Key: OFBIZ-2194 > URL: https://issues.apache.org/jira/browse/OFBIZ-2194 > Project: OFBiz > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Michele Orru > Assignee: David E. Jones > Fix For: SVN trunk > > > When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair, > the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values): > --- REQUEST --- > POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1 > Host: localhost:8443 > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS > Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio > Content-Type: application/x-www-form-urlencoded > Content-Length: 44 > USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf > --- RESPONSE --- > [...] > <div id="ecom-header-bar"> > <ul id="left-links"> > <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li> > <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li> > <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li> > </ul> > <ul id="right-links"> > <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right --> > <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li> > <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li> > <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li> > <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li> > <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li> > </ul> > </div> > [...] > Now, that's not son bad: basically is not an exploitable issue. > The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application. > --- REQUEST --- > POST /ecommerce/control/login HTTP/1.1 > Host: localhost:8443 > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://localhost:8443/ecommerce/control/login > Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous > Content-Type: application/x-www-form-urlencoded > Content-Length: 41 > USERNAME=euronymous&PASSWORD=euronymous666 > --- RESPONSE --- > [...] > <div class="screenlet"> > <div class="screenlet-header"> > <div class="boxhead">Mini-Poll Poll</div> > </div> > <div class="screenlet-body"> > <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;"> > > <input type="hidden" name="PASSWORD" value="euronymous666"/> > <input type="hidden" name="USERNAME" value="euronymous"/> > <input type="hidden" name="partyId" value="10010"/> > <input type="hidden" name="surveyId" value="1003"/> > [...] > Have fun > Michele Orrù -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |