[ofbiz-framework] branch release18.12 updated: Improved: Reflected XSS in content component (OFBIZ-11840)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release18.12 updated: Improved: Reflected XSS in content component (OFBIZ-11840)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 70c4a8a  Improved: Reflected XSS in content component (OFBIZ-11840)
70c4a8a is described below

commit 70c4a8aea7fee564de2c13677043cf21ef6c9698
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Jul 18 12:00:29 2020 +0200

    Improved: Reflected XSS in content component (OFBIZ-11840)
   
    Fixes a Reflected XSS vulnerability in content component
   
    Harshit Shukla reported it to the OFBiz security team:
    https://demo-stable.ofbiz.apache.org/content/control/stream?contentId="><svg/onload=alert(0)>
   
    It's a post-auth vulnerability so we did not ask for a CVE.
   
    Thanks: Harshit Shukla [hidden email]
---
 .../src/main/java/org/apache/ofbiz/content/data/DataEvents.java    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
index 5750463..1c81434 100644
--- a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
+++ b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
@@ -82,6 +82,13 @@ public class DataEvents {
         // get the permission service required for streaming data; default is always the genericContentPermission
         String permissionService = EntityUtilProperties.getPropertyValue("content", "stream.permission.service", "genericContentPermission", delegator);
 
+        // This is counterintuitive but it works, for OFBIZ-11840
+        // It could be improved by checking for possible events associated with svg
+        // As listed at https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
+        if (contentId.contains("<svg")) {
+            return "success";
+        }
+
         // get the content record
         GenericValue content;
         try {