lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <A126EDA0-06A5-4B67-8CDD-FC5F5AABA147@apache.org>
Date: Sun, 15 Apr 2012 15:33:25 +0200
From: Jacopo Cappellato <jacopoc@...che.org>
To: security@...che.org, Ofbiz User ML <user@...iz.apache.org>,
  dev@...iz.apache.org, full-disclosure@...ts.grok.org.uk,
  bugtraq@...urityfocus.com
Cc: mmadou@...com
Subject: [CVE-2012-1621] Apache OFBiz information disclosure vulnerability

CVE-2012-1621: Apache OFBiz information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation - Apache OFBiz

======Versions Affected======

Apache OFBiz 10.04 (also known as 10.04.01)

======Description======

Multiple XSS:

XSS 1:
Error messages containing user input returned via ajax requests
weren't being escaped

XSS 2:
Parameter arrays (converted to Lists by OFBiz) weren't being
auto-encoded in freemarker templates.  An attacker could send multiple
parameters sharing the same name where only a single value was
expected, because the value was a List instead of a String rendering
the parameter in freemarker via ${parameter} would bypass OFBiz's
automatic html encoding.

XSS 3:
Requests that used the cms event were susceptible to XSS attacks via
the contentId and mapKey parameters because if the content was found
to be missing an unencoded error message containing the supplied
values was being streamed to the browser.

XSS 4:
Requests that used the experimental Webslinger component were susceptible to XSS attacks

====== Mitigation======

10.04 users should upgrade to 10.04.02

======Credit======

These issues were discovered by Matias Madou (mmadou@...com) of Fortify/HP Security Research Group

Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ