[jira] Closed: (OFBIZ-178) Cross site scripting vulnerability in Forum

Fri, 13 Feb 2009 23:40:23 -0800 

     [ 
https://issues.apache.org/jira/browse/OFBIZ-178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux closed OFBIZ-178.
---------------------------------

    Resolution: Fixed
      Assignee: David E. Jones  (was: Jacques Le Roux)

Fixed by recent security efforts (though the message is not clear when trying 
to inject in forum body, title is ok (std input field vs content field)

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: SVN trunk
>            Reporter: Eriks Dobelis
>            Assignee: David E. Jones
>             Fix For: SVN trunk
>
>
> Currently HTML tags are filtered from forum messages by client side 
> javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is 
> used to filter or change the script), then user can post a forum message 
> containing any HTML code, including <script> tags, e.g. 
> <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. 
> writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that 
> user could change that text. I have not checked that, but as there are fields 
> like dataResourceTypeId, contentTypeId then probably user can create any type 
> of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to