[
https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518901
]
Wickersheimer Jeremy commented on OFBIZ-1193:
---------------------------------------------
>Are either of you up for helping with this?
At least I, will have to.
>So, the first goal as I see it is to write up 2-3 manual processes for actual
>security vulnerabilities.
The obvious first target is the ecommerce side, because you can inject script
in the checkout process (shipping address, name, ...).
>The only way I can think of you could do session hijacking is to have access
>to a browser and admin user has used and is still logged into, or by sniffing
>packets over the network.
I just did. Injecting from ecommerce (see above). Then when any logged user
display the script i get the JSESSIONID. That is all that is needed for me to
enter the system as this user.
If i am lucky i get an account that has access to the webtool, but that is no
unlikely at all. Especially because it uses a different JSESSIONID (easy to
detect) and because the script works when a user display the malicious data in
the webtool !
After that i have unlimited access to all the data, and i could download all
passwords hashes for example. If the hack wasn't detected at this point i could
then remove the malicious code and brute force the passwords (which not
diffcult since the hash are not salted (see another OFBIZ issue i opened)).
> html code is not sanitized in all the text input field
> ------------------------------------------------------
>
> Key: OFBIZ-1193
> URL: https://issues.apache.org/jira/browse/OFBIZ-1193
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: SVN trunk
> Environment: any environment
> Reporter: Vikrant Rathore
> Attachments: error screenshot.jpg
>
>
> This a very critical bug in ofbiz you can put in any html text including
> script or iframe tags in the input field for address update or customer name
> update i.e. any text field in ofbiz.
> Its a major security issue for all the ofbiz installation since the text in
> the input text field is not sanitized.
> below is small source code of the page where a script in the demo store for
> DemoCustomer profile which just pops up an alert box.
> <tr>
> <td width="26%" align="right" valign="top"><div
> class="tabletext">Address Line 1</div></td>
> <td width="5"> </td>
> <td width="74%">
> <input type="text" class='inputBox' size="30" maxlength="30"
> name="address1" value=""/><script>alert("a")</script>">
> *</td>
> </tr>
> <tr>
> Along with this attached the screenshot you can try the demo on ofbiz
> ecommerce store on the ofbiz website and use DemoCustomer profile you will
> see the same screenshot.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
