On 2/12/2009, at 9:23 PM, Adam Heath wrote:
lekt...@apache.org wrote:Author: lektran Date: Sat Oct 17 08:40:17 2009 New Revision: 826196URL: http://svn.apache.org/viewvc?rev=826196&view=rev Log: Fix security issue reported by Alexandre Mazari - OFBIZ-2747Request parameters were being made available to surveys which in turn were sending them straight back to the browser creating an XSS vulnerability. This isn't a true fix because I've simply disabled the functionality but at least the security hole is plugged.Modified:ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/ SurveyWrapper.javaThis change breaks purchase of gift cards. Go to /ecommerce, select gift card, $100 variant, classic type, add to cart, fill out survey, and then it fails to add to the cart. I would suggest reverting this commit, as having broken functionality is worse than having a security hole. ps: I was able to find this by making use of 'git bisect'. I just love having a copy of all previous ofbiz history.
It's a pretty big security hole, I'd be interested in hearing the opinions of others before reverting. Blindly passing all incoming parameters back out to the resulting page is pretty bad form and needs to be fixed.
smime.p7s
Description: S/MIME cryptographic signature