On 2/12/2009, at 9:35 PM, Adam Heath wrote:
Scott Gray wrote:On 2/12/2009, at 9:23 PM, Adam Heath wrote:lekt...@apache.org wrote:Author: lektran Date: Sat Oct 17 08:40:17 2009 New Revision: 826196 URL: http://svn.apache.org/viewvc?rev=826196&view=rev Log: Fix security issue reported by Alexandre Mazari - OFBIZ-2747Request parameters were being made available to surveys which in turnwere sending them straight back to the browser creating an XSS vulnerability.This isn't a true fix because I've simply disabled the functionalitybut at least the security hole is plugged. Modified:ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/ SurveyWrapper.javaThis change breaks purchase of gift cards. Go to /ecommerce, select gift card, $100 variant, classic type, add to cart, fill out survey, and then it fails to add to the cart.I would suggest reverting this commit, as having broken functionalityis worse than having a security hole. ps: I was able to find this by making use of 'git bisect'. I just love having a copy of all previous ofbiz history.It's a pretty big security hole, I'd be interested in hearing the opinions of others before reverting. Blindly passing all incomingparameters back out to the resulting page is pretty bad form and needsto be fixed.These seems to happen when chained requests occur, /control/additemsurvey/addproduct, or some such. The previous step then sends in all parameters needed by both requests. I wouldn't know how to fix this, as we use our own frontend, not the controller, widget or minilang systems.
I'll try and have a look at it tomorrow, I didn't have a use case for the pass through parameters at the time so I couldn't easily see how they were being used. Now that I have one, it should be easier to come up with an alternate solution.
smime.p7s
Description: S/MIME cryptographic signature
