lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 15 Apr 2012 15:33:25 +0200
From: Jacopo Cappellato <>
To:, Ofbiz User ML <>,,,
Subject: [CVE-2012-1621] Apache OFBiz information
	disclosure vulnerability

CVE-2012-1621: Apache OFBiz information disclosure vulnerability

Severity: Important

The Apache Software Foundation - Apache OFBiz

======Versions Affected======

Apache OFBiz 10.04 (also known as 10.04.01)


Multiple XSS:

XSS 1:
Error messages containing user input returned via ajax requests
weren't being escaped

XSS 2:
Parameter arrays (converted to Lists by OFBiz) weren't being
auto-encoded in freemarker templates.  An attacker could send multiple
parameters sharing the same name where only a single value was
expected, because the value was a List instead of a String rendering
the parameter in freemarker via ${parameter} would bypass OFBiz's
automatic html encoding.

XSS 3:
Requests that used the cms event were susceptible to XSS attacks via
the contentId and mapKey parameters because if the content was found
to be missing an unencoded error message containing the supplied
values was being streamed to the browser.

XSS 4:
Requests that used the experimental Webslinger component were susceptible to XSS attacks

====== Mitigation======

10.04 users should upgrade to 10.04.02


These issues were discovered by Matias Madou ( of Fortify/HP Security Research Group

Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists