[ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518901 ]
Wickersheimer Jeremy commented on OFBIZ-1193: --------------------------------------------- >Are either of you up for helping with this? At least I, will have to. >So, the first goal as I see it is to write up 2-3 manual processes for actual >security vulnerabilities. The obvious first target is the ecommerce side, because you can inject script in the checkout process (shipping address, name, ...). >The only way I can think of you could do session hijacking is to have access >to a browser and admin user has used and is still logged into, or by sniffing >packets over the network. I just did. Injecting from ecommerce (see above). Then when any logged user display the script i get the JSESSIONID. That is all that is needed for me to enter the system as this user. If i am lucky i get an account that has access to the webtool, but that is no unlikely at all. Especially because it uses a different JSESSIONID (easy to detect) and because the script works when a user display the malicious data in the webtool ! After that i have unlimited access to all the data, and i could download all passwords hashes for example. If the hack wasn't detected at this point i could then remove the malicious code and brute force the passwords (which not diffcult since the hash are not salted (see another OFBIZ issue i opened)). > html code is not sanitized in all the text input field > ------------------------------------------------------ > > Key: OFBIZ-1193 > URL: https://issues.apache.org/jira/browse/OFBIZ-1193 > Project: OFBiz > Issue Type: Bug > Affects Versions: SVN trunk > Environment: any environment > Reporter: Vikrant Rathore > Attachments: error screenshot.jpg > > > This a very critical bug in ofbiz you can put in any html text including > script or iframe tags in the input field for address update or customer name > update i.e. any text field in ofbiz. > Its a major security issue for all the ofbiz installation since the text in > the input text field is not sanitized. > below is small source code of the page where a script in the demo store for > DemoCustomer profile which just pops up an alert box. > <tr> > <td width="26%" align="right" valign="top"><div > class="tabletext">Address Line 1</div></td> > <td width="5"> </td> > <td width="74%"> > <input type="text" class='inputBox' size="30" maxlength="30" > name="address1" value=""/><script>alert("a")</script>"> > *</td> > </tr> > <tr> > Along with this attached the screenshot you can try the demo on ofbiz > ecommerce store on the ofbiz website and use DemoCustomer profile you will > see the same screenshot. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.