[
https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518915
]
Wickersheimer Jeremy commented on OFBIZ-1193:
---------------------------------------------
For those who will want a work-around, disabling javascript on the ERP side
would prevent leaking authenticated sessions.
Then it should be possible to prevent leaked session to be usable by:
- checking the request parameters for suspicious changes :
different user-agent
different ip address (can cause issue with some setup using Proxy, fooled
by NAT)
external referer
- regenerating sessions for each request (also prevents session fixation)
the client is given a new JSESSIONID for each request which is then only
valid for the next request, if the session id is intercepted it must be used
before the client make another request (note that this is still possible)
Of course these measures can still be fooled easily
> html code is not sanitized in all the text input field
> ------------------------------------------------------
>
> Key: OFBIZ-1193
> URL: https://issues.apache.org/jira/browse/OFBIZ-1193
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: SVN trunk
> Environment: any environment
> Reporter: Vikrant Rathore
> Attachments: error screenshot.jpg
>
>
> This a very critical bug in ofbiz you can put in any html text including
> script or iframe tags in the input field for address update or customer name
> update i.e. any text field in ofbiz.
> Its a major security issue for all the ofbiz installation since the text in
> the input text field is not sanitized.
> below is small source code of the page where a script in the demo store for
> DemoCustomer profile which just pops up an alert box.
> <tr>
> <td width="26%" align="right" valign="top"><div
> class="tabletext">Address Line 1</div></td>
> <td width="5"> </td>
> <td width="74%">
> <input type="text" class='inputBox' size="30" maxlength="30"
> name="address1" value=""/><script>alert("a")</script>">
> *</td>
> </tr>
> <tr>
> Along with this attached the screenshot you can try the demo on ofbiz
> ecommerce store on the ofbiz website and use DemoCustomer profile you will
> see the same screenshot.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
