OFBiz › OFBiz - Dev

[jira] Created: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

13 messages Options

Nicolas Malin (Jira)

[jira] Created: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

Cross Site Scripting Vulnerability (XSS)
----------------------------------------

Key: OFBIZ-260
URL: http://issues.apache.org/jira/browse/OFBIZ-260
Project: OFBiz (The Open for Business Project)
Issue Type: Bug
Components: ecommerce
Affects Versions: SVN trunk
Reporter: Marco Risaliti

*Very* simple test:

/ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>

Other components beside ecommerce are also affected.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Nicolas Malin (Jira)

[jira] Commented: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

[ http://issues.apache.org/jira/browse/OFBIZ-260?page=comments#action_12434415 ]

Marco Risaliti commented on OFBIZ-260:
--------------------------------------

It replace the old-jira issue OFBIZ-559.

Thanks
Marco

> Cross Site Scripting Vulnerability (XSS)
> ----------------------------------------
>
> Key: OFBIZ-260
> URL: http://issues.apache.org/jira/browse/OFBIZ-260
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Marco Risaliti
>
> *Very* simple test:
> /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>
> Other components beside ecommerce are also affected.
>

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Nicolas Malin (Jira)

[jira] Commented: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

In reply to this post by Nicolas Malin (Jira)

[ http://issues.apache.org/jira/browse/OFBIZ-260?page=comments#action_12434418 ]

David E. Jones commented on OFBIZ-260:
--------------------------------------

Has anyone found an actual vulnerability related to this?

It is somewhat natural with webapps that you can change the behavior by changing (directory or indirectly) the text that the browser interprets.

The real question is whether or not it is possible to change server-side behavior to do something the user is not authorized to do.

Nicolas Malin (Jira)

[jira] Updated: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

In reply to this post by Nicolas Malin (Jira)

[ http://issues.apache.org/jira/browse/OFBIZ-260?page=all ]

Jacopo Cappellato updated OFBIZ-260:
------------------------------------

Description:
It's a copy of http://jira.undersunconsulting.com/browse/OFBIZ-559 from Olivier Lietz.

===========================================================

*Very* simple test:

/ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>

Other components beside ecommerce are also affected.

was:
*Very* simple test:

/ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>

Other components beside ecommerce are also affected.

> Cross Site Scripting Vulnerability (XSS)
> ----------------------------------------
>
> Key: OFBIZ-260
> URL: http://issues.apache.org/jira/browse/OFBIZ-260
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Marco Risaliti
>
> It's a copy of http://jira.undersunconsulting.com/browse/OFBIZ-559 from Olivier Lietz.
> ===========================================================
> *Very* simple test:
> /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>
> Other components beside ecommerce are also affected.
>

Nicolas Malin (Jira)

[jira] Updated: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

In reply to this post by Nicolas Malin (Jira)

[ http://issues.apache.org/jira/browse/OFBIZ-260?page=all ]

Jacopo Cappellato updated OFBIZ-260:
------------------------------------

Comment: was deleted

> Cross Site Scripting Vulnerability (XSS)
> ----------------------------------------
>
> Key: OFBIZ-260
> URL: http://issues.apache.org/jira/browse/OFBIZ-260
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Marco Risaliti
>
> It's a copy of http://jira.undersunconsulting.com/browse/OFBIZ-559 from Olivier Lietz.
> ===========================================================
> *Very* simple test:
> /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>
> Other components beside ecommerce are also affected.
>

Nicolas Malin (Jira)

[jira] Commented: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

In reply to this post by Nicolas Malin (Jira)

[ http://issues.apache.org/jira/browse/OFBIZ-260?page=comments#action_12436365 ]

Leon Torres commented on OFBIZ-260:
-----------------------------------

The attack would have to be extremely sophisticated and social: Imagine that the popup is inserted into some description field. When displayed in a text area, it gets executed. (I tried <script>alert("XSS")</script>, it worked.) Now imagine that the popup is designed to look like the ofbiz login screen. An administrator would type in the username and password, which then gets sent to some remote site via a URL call in javascript. The window closes and the administrator wonders what happened.

So a combination of phishing techniques, careful scripting, a careless user, and a compromised account that can edit a textarea is sufficient to cause a vulnerability.

> Cross Site Scripting Vulnerability (XSS)
> ----------------------------------------
>
> Key: OFBIZ-260
> URL: http://issues.apache.org/jira/browse/OFBIZ-260
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Marco Risaliti
>
> It's a copy of http://jira.undersunconsulting.com/browse/OFBIZ-559 from Olivier Lietz.
> ===========================================================
> *Very* simple test:
> /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>
> Other components beside ecommerce are also affected.
>

Nicolas Malin (Jira)

[jira] Commented: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

In reply to this post by Nicolas Malin (Jira)

[ http://issues.apache.org/jira/browse/OFBIZ-260?page=comments#action_12436366 ]

Leon Torres commented on OFBIZ-260:
-----------------------------------

I just realized that a compromised account is not necessary. Any public input that gets displayed as textarea internally is a vector for attack, such as gift message.

> Cross Site Scripting Vulnerability (XSS)
> ----------------------------------------
>
> Key: OFBIZ-260
> URL: http://issues.apache.org/jira/browse/OFBIZ-260
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Marco Risaliti
>
> It's a copy of http://jira.undersunconsulting.com/browse/OFBIZ-559 from Olivier Lietz.
> ===========================================================
> *Very* simple test:
> /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>
> Other components beside ecommerce are also affected.
>

Nicolas Malin (Jira)

[jira] Commented: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

In reply to this post by Nicolas Malin (Jira)

[ http://issues.apache.org/jira/browse/OFBIZ-260?page=comments#action_12436441 ]

Jacques Le Roux commented on OFBIZ-260:
---------------------------------------

Yes indeed, as far as I searched there is no threat on the server side. On client side I can see another threat more of social engineered as described Leon above. The most I have achieved was using something like <script>alert(document.cookie);</script> .This can be used in many places (every places where a parameter is passed in url) and at first glance seems not too harmful. But we can imagine that an attacker could use this to build a more sophisticated script retrieving cookies. Having the admin login and such he might try brutal force to find a password...

In this case we speak about non persistent XSS but in the case of https://issues.apache.org/jira/browse/OFBIZ-178 where persistend entry may be in place the attack could be even more dangerous. Because there the attacker has just to wait...

Here are some interesting links I found about this subject :
http://www.cert.org/advisories/CA-2000-02.html
http://www.cert.org/tech_tips/malicious_code_mitigation.html
http://alistapart.com/articles/secureyourcode
http://www.whitehatsec.com/downloads/WHXSSThreats.pdf
http://ha.ckers.org/xss.html

Some solutions from a list apart (http://alistapart.com/articles/secureyourcode)
* Strip out single and double quotes or convert them to their HTML entities (‘ and ’ for opening and closing single quotes, “ and ” for opening and closing double quotes). Please note however, that this does not entirely protect you. An attacker could still use String.fromCharCode(39) in an eval() function.
* Convert < and > to < and >.
* Convert all line breaks to <br>. If you do this on all code, including style tags, you will save yourself from an attack. See "IE, CSS and JavaScript".
* Check your self-created code tags (such as [URL]) to make sure the user is not allowed to inject JavaScript in URLs or CSS.
* Consider stripping out the word "script" to prevent someone from trying to inject the word JavaScript. Keep in mind, though, that as far as IE is concerned, "ja\n\sc\nript" is valid.
* Use regular expressions (server side) to validate and sanitize user input, as described above
* Validate CSS input!

See also p.19 of http://www.whitehatsec.com/downloads/WHXSSThreats.pdf

But as we can see in http://ha.ckers.org/xss.html this may not be a simple issue : encoding can be very sophisticated :(
Even if http://www.cert.org/tech_tips/malicious_code_mitigation.html proposes some solutions about that.

> Cross Site Scripting Vulnerability (XSS)
> ----------------------------------------
>
> Key: OFBIZ-260
> URL: http://issues.apache.org/jira/browse/OFBIZ-260
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Marco Risaliti
>
> It's a copy of http://jira.undersunconsulting.com/browse/OFBIZ-559 from Olivier Lietz.
> ===========================================================
> *Very* simple test:
> /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>
> Other components beside ecommerce are also affected.
>

Nicolas Malin (Jira)

[jira] Commented: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

In reply to this post by Nicolas Malin (Jira)

[ http://issues.apache.org/jira/browse/OFBIZ-260?page=comments#action_12438350 ]

Eriks Dobelis commented on OFBIZ-260:
-------------------------------------

I suggest we start with really cautious attitude here, and then in longer run remove restrictions when we are sure they are safe.

So for the start I would suggest:

In forum case - it is just a few tags that are allowed (like <i>,<b>, but not <img> and certainly <script>). All <,>, and better also ',",; which are not part of explicitely allowed tags should be changed to &#60,&#62, etc. <img> tag should not be allowed because it contains parameters which can be manipulated. There is nothing attacker can do with simple <i>.

In search case it is simpler, because you should not allow any tags there at all and should replace all of these.

Of course UTF-8 variations of the symbols should be analyzed and characters like 000060 should be converted to 60 before stripping.

Speaking about potential implementation, a separate filter should be created and used in corresponding web.xml analyzing all POST and GET parameters supplied by user. The question is whether we can create a generic filter for all components or there should different ones because of different needs of different modules.

> Cross Site Scripting Vulnerability (XSS)
> ----------------------------------------
>
> Key: OFBIZ-260
> URL: http://issues.apache.org/jira/browse/OFBIZ-260
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Marco Risaliti
>
> It's a copy of http://jira.undersunconsulting.com/browse/OFBIZ-559 from Olivier Lietz.
> ===========================================================
> *Very* simple test:
> /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>
> Other components beside ecommerce are also affected.
>

John Martin

Re: [jira] Commented: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

In reply to this post by Nicolas Malin (Jira)

Hi Jacques,

Ironically I posted this about a weekago and nobody responded to it.
I agree and think that nearly ANY text that originates from user input
should be made safe. Here is my earlier post:

I'm looking to include a new method htmlSpecialChars into the
StringUtil class and am looking for feedback.

While working on the DHL enhancement, I found the need for a method
similar to the PHP function htmlSpecialChars which allows you to
output HTML and XML to the browser so that it can be viewed. When
there are errors, the XML is being output to the screen but the
special chars ( <, >, &, ", and ' ) are not displayed.

Another purpose for this function is to safeguard user input that is
later displayed in the browser.

Here is a link to docs on the PHP function http://us3.php.net/htmlspecialchars.

Here's my implementation:

/**
* Translates various HTML characters in a string so that the
string can be displayed in a browser safely
* <p>
* This function is useful in preventing user-supplied text from
containing HTML markup, such as in a message board or
* guest book application. The optional arguments doubleQuotes and
singleQuotes allow the control of the substitution of
* the quote characters. The default is to translate them with
the HTML equivalent.
* </p>
* The translations performed are: <ol>
* <li>'&' (ampersand) becomes '&'
* <li>'"' (double quote) becomes '"' when doubleQuotes is true.
* <li>''' (single quote) becomes ''' when singleQuotes is true.
* <li>'<' (less than) becomes '<'
* <li>'>' (greater than) becomes '>'
* <li>\n (Carriage Return) becomes '<br>gt;'
* </ol>
*/
public static String htmlSpecialChars(String html, boolean
doubleQuotes, boolean singleQuotes, boolean insertBR) {
html = StringUtil.replaceString(html, "&", "&amps;");
html = StringUtil.replaceString(html, "<", "<");
html = StringUtil.replaceString(html, ">", ">");
if (doubleQuotes) {
html = StringUtil.replaceString(html, "\"", """);
}
if (singleQuotes) {
html = StringUtil.replaceString(html, "'", "&#039");
}
if (insertBR) {
html = StringUtil.replaceString(html, "\n", "<br>");
}

return html;
}
public static String htmlSpecialChars(String html) {
return htmlSpecialChars(html, true, true, true);
}

Thanks,

John

Jacques Le Roux

Re: [jira] Commented: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

Administrator

Hi John,

Sorry not to have noticed that. I read your message but I guess not completly and did not saw

> Another purpose for this function is to safeguard user input that is
> later displayed in the browser.

Surely a bad behaviour from an irrepressible instinctive repulsion to PHP word ;o)

I'm also surprised that there is no equivalent in Java, not sure why though (any thought folks here ?)

From your side perhaps a better way would have been to post directly on related Jira issues (I say that for future :o)
http://issues.apache.org/jira/browse/OFBIZ-178
http://issues.apache.org/jira/browse/OFBIZ-260

Thus you could have posted a patch which is the preferred way to include code.

Anyway this is great and our first pace to resolve this issue. I will commit your proposition ASAP

Thanks John

Jacques

From: "John Martin" <[hidden email]>

> Hi Jacques,
>
> Ironically I posted this about a weekago and nobody responded to it.
> I agree and think that nearly ANY text that originates from user input
> should be made safe. Here is my earlier post:
>
> I'm looking to include a new method htmlSpecialChars into the
> StringUtil class and am looking for feedback.
>
> While working on the DHL enhancement, I found the need for a method
> similar to the PHP function htmlSpecialChars which allows you to
> output HTML and XML to the browser so that it can be viewed. When
> there are errors, the XML is being output to the screen but the
> special chars ( <, >, &, ", and ' ) are not displayed.
>
> Another purpose for this function is to safeguard user input that is
> later displayed in the browser.
>
> Here is a link to docs on the PHP function http://us3.php.net/htmlspecialchars.
>
> Here's my implementation:
>
> /**
> * Translates various HTML characters in a string so that the
> string can be displayed in a browser safely
> * <p>
> * This function is useful in preventing user-supplied text from
> containing HTML markup, such as in a message board or
> * guest book application. The optional arguments doubleQuotes and
> singleQuotes allow the control of the substitution of
> * the quote characters. The default is to translate them with
> the HTML equivalent.
> * </p>
> * The translations performed are: <ol>
> * <li>'&' (ampersand) becomes '&'
> * <li>'"' (double quote) becomes '"' when doubleQuotes is true.
> * <li>''' (single quote) becomes ''' when singleQuotes is true.
> * <li>'<' (less than) becomes '<'
> * <li>'>' (greater than) becomes '>'
> * <li>\n (Carriage Return) becomes '<br>gt;'
> * </ol>
> */
> public static String htmlSpecialChars(String html, boolean
> doubleQuotes, boolean singleQuotes, boolean insertBR) {
> html = StringUtil.replaceString(html, "&", "&amps;");
> html = StringUtil.replaceString(html, "<", "<");
> html = StringUtil.replaceString(html, ">", ">");
> if (doubleQuotes) {
> html = StringUtil.replaceString(html, "\"", """);
> }
> if (singleQuotes) {
> html = StringUtil.replaceString(html, "'", "&#039");
> }
> if (insertBR) {
> html = StringUtil.replaceString(html, "\n", "<br>");
> }
>
> return html;
> }
> public static String htmlSpecialChars(String html) {
> return htmlSpecialChars(html, true, true, true);
> }
>
> Thanks,
>
> John

Nicolas Malin (Jira)

[jira] Commented: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

In reply to this post by Nicolas Malin (Jira)

[ http://issues.apache.org/jira/browse/OFBIZ-260?page=comments#action_12438669 ]

Jacques Le Roux commented on OFBIZ-260:
---------------------------------------

I have added a new method htmlSpecialChars into the StringUtil class from John Martin.

htmlSpecialChars may be used in this issue and in OFBIZ-178 as well. A first step...

> Cross Site Scripting Vulnerability (XSS)
> ----------------------------------------
>
> Key: OFBIZ-260
> URL: http://issues.apache.org/jira/browse/OFBIZ-260
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Marco Risaliti
>
> It's a copy of http://jira.undersunconsulting.com/browse/OFBIZ-559 from Olivier Lietz.
> ===========================================================
> *Very* simple test:
> /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>
> Other components beside ecommerce are also affected.
>

Nicolas Malin (Jira)

[jira] Commented: (OFBIZ-260) Cross Site Scripting Vulnerability (XSS)

In reply to this post by Nicolas Malin (Jira)

[ http://issues.apache.org/jira/browse/OFBIZ-260?page=comments#action_12438689 ]

Eriks Dobelis commented on OFBIZ-260:
-------------------------------------

Great addition, Jacques! I suggest that there should be a parameter allowedTags or something like that. It would be a list of tags which are allowed and should not be replaced. So we could pass list like "b","i" and <b></b><i></i> would be left as they are, but all the other < and > would be replaced.

Important question is: what should call this method? What do you think about creating a filter in web.xml to parse user input? Or for now we should just call this method in cases where we have identified the problem, and create the global filter later?

> Cross Site Scripting Vulnerability (XSS)
> ----------------------------------------
>
> Key: OFBIZ-260
> URL: http://issues.apache.org/jira/browse/OFBIZ-260
> Project: OFBiz (The Open for Business Project)
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Marco Risaliti
>
> It's a copy of http://jira.undersunconsulting.com/browse/OFBIZ-559 from Olivier Lietz.
> ===========================================================
> *Very* simple test:
> /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script>
> Other components beside ecommerce are also affected.
>