[<prev] [next>] [day] [month] [year] [list]
Message-Id: <A126EDA0-06A5-4B67-8CDD-FC5F5AABA147@apache.org>
Date: Sun, 15 Apr 2012 15:33:25 +0200
From: Jacopo Cappellato <jacopoc@...che.org>
To: security@...che.org, Ofbiz User ML <user@...iz.apache.org>,
dev@...iz.apache.org, full-disclosure@...ts.grok.org.uk,
bugtraq@...urityfocus.com
Cc: mmadou@...com
Subject: [CVE-2012-1621] Apache OFBiz information disclosure vulnerability
CVE-2012-1621: Apache OFBiz information disclosure vulnerability
Severity: Important
Vendor:
The Apache Software Foundation - Apache OFBiz
======Versions Affected======
Apache OFBiz 10.04 (also known as 10.04.01)
======Description======
Multiple XSS:
XSS 1:
Error messages containing user input returned via ajax requests
weren't being escaped
XSS 2:
Parameter arrays (converted to Lists by OFBiz) weren't being
auto-encoded in freemarker templates. An attacker could send multiple
parameters sharing the same name where only a single value was
expected, because the value was a List instead of a String rendering
the parameter in freemarker via ${parameter} would bypass OFBiz's
automatic html encoding.
XSS 3:
Requests that used the cms event were susceptible to XSS attacks via
the contentId and mapKey parameters because if the content was found
to be missing an unencoded error message containing the supplied
values was being streamed to the browser.
XSS 4:
Requests that used the experimental Webslinger component were susceptible to XSS attacks
====== Mitigation======
10.04 users should upgrade to 10.04.02
======Credit======
These issues were discovered by Matias Madou (mmadou@...com) of Fortify/HP Security Research Group
Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)
Powered by blists - more mailing lists