[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Thu, 24 Aug 2006 14:50:30 -0700 

    [ 
http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430290 ] 
            
Eriks Dobelis commented on OFBIZ-178:
-------------------------------------

Si,

It cannot be fixed in whizzywyg.js (it does correct filtering already now), 
because when JavaScript is turned off in the browser whizzywyg is not used at 
all. It has to be done on server side, because all client side controls can be 
easily manipulated by malitous user.

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side 
> javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is 
> used to filter or change the script), then user can post a forum message 
> containing any HTML code, including <script> tags, e.g. 
> <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. 
> writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that 
> user could change that text. I have not checked that, but as there are fields 
> like dataResourceTypeId, contentTypeId then probably user can create any type 
> of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to