Scott Gray wrote: > On 2/12/2009, at 9:23 PM, Adam Heath wrote: > >> lekt...@apache.org wrote: >>> Author: lektran >>> Date: Sat Oct 17 08:40:17 2009 >>> New Revision: 826196 >>> >>> URL: http://svn.apache.org/viewvc?rev=826196&view=rev >>> Log: >>> Fix security issue reported by Alexandre Mazari - OFBIZ-2747 >>> Request parameters were being made available to surveys which in turn >>> were sending them straight back to the browser creating an XSS >>> vulnerability. >>> This isn't a true fix because I've simply disabled the functionality >>> but at least the security hole is plugged. >>> >>> Modified: >>> >>> ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java >>> >> >> This change breaks purchase of gift cards. Go to /ecommerce, select >> gift card, $100 variant, classic type, add to cart, fill out survey, >> and then it fails to add to the cart. >> >> I would suggest reverting this commit, as having broken functionality >> is worse than having a security hole. >> >> ps: I was able to find this by making use of 'git bisect'. I just >> love having a copy of all previous ofbiz history. > > It's a pretty big security hole, I'd be interested in hearing the > opinions of others before reverting. Blindly passing all incoming > parameters back out to the resulting page is pretty bad form and needs > to be fixed.
These seems to happen when chained requests occur, /control/additemsurvey/addproduct, or some such. The previous step then sends in all parameters needed by both requests. I wouldn't know how to fix this, as we use our own frontend, not the controller, widget or minilang systems.
