[
https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518895
]
Wickersheimer Jeremy commented on OFBIZ-1193:
---------------------------------------------
> Nobody since then has proved any threats at the server level,
What do you mean ?
I can steal the session cookie and log as admin (for example),i would say it IS
a threat.
I did not look too much into it (cookie stealing is the easiest),i guess i
could do CSRF too, maybe some funny DOM manipulation, stealing customers data,
and so on ...
It should be top priority because i am not sure businesses would choose an ERP
with XSS.
> html code is not sanitized in all the text input field
> ------------------------------------------------------
>
> Key: OFBIZ-1193
> URL: https://issues.apache.org/jira/browse/OFBIZ-1193
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: SVN trunk
> Environment: any environment
> Reporter: Vikrant Rathore
> Attachments: error screenshot.jpg
>
>
> This a very critical bug in ofbiz you can put in any html text including
> script or iframe tags in the input field for address update or customer name
> update i.e. any text field in ofbiz.
> Its a major security issue for all the ofbiz installation since the text in
> the input text field is not sanitized.
> below is small source code of the page where a script in the demo store for
> DemoCustomer profile which just pops up an alert box.
> <tr>
> <td width="26%" align="right" valign="top"><div
> class="tabletext">Address Line 1</div></td>
> <td width="5"> </td>
> <td width="74%">
> <input type="text" class='inputBox' size="30" maxlength="30"
> name="address1" value=""/><script>alert("a")</script>">
> *</td>
> </tr>
> <tr>
> Along with this attached the screenshot you can try the demo on ofbiz
> ecommerce store on the ofbiz website and use DemoCustomer profile you will
> see the same screenshot.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
