[
https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518898
]
David E. Jones commented on OFBIZ-1193:
---------------------------------------
Are either of you up for helping with this?
The first step would be to create some error scenarios that are problems right
now, and then when the fix is in place we can see them fixed.
So, the first goal as I see it is to write up 2-3 manual processes for actual
security vulnerabilities.
I'm really interested in seeing these because all you can do with script
injection is make the browser do things. The way OFBiz is designed all security
and validation is done on the server, even if it is also done on the client.
The only way I can think of you could do session hijacking is to have access to
a browser and admin user has used and is still logged into, or by sniffing
packets over the network.
Of course, I'm not a security expert and haven't had the pleasure of
researching these things in detail. So yeah, specific scenarios we can work
toward would be great and/or necessary to make progress on this.
> html code is not sanitized in all the text input field
> ------------------------------------------------------
>
> Key: OFBIZ-1193
> URL: https://issues.apache.org/jira/browse/OFBIZ-1193
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: SVN trunk
> Environment: any environment
> Reporter: Vikrant Rathore
> Attachments: error screenshot.jpg
>
>
> This a very critical bug in ofbiz you can put in any html text including
> script or iframe tags in the input field for address update or customer name
> update i.e. any text field in ofbiz.
> Its a major security issue for all the ofbiz installation since the text in
> the input text field is not sanitized.
> below is small source code of the page where a script in the demo store for
> DemoCustomer profile which just pops up an alert box.
> <tr>
> <td width="26%" align="right" valign="top"><div
> class="tabletext">Address Line 1</div></td>
> <td width="5"> </td>
> <td width="74%">
> <input type="text" class='inputBox' size="30" maxlength="30"
> name="address1" value=""/><script>alert("a")</script>">
> *</td>
> </tr>
> <tr>
> Along with this attached the screenshot you can try the demo on ofbiz
> ecommerce store on the ofbiz website and use DemoCustomer profile you will
> see the same screenshot.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
