[CVE-2012-1621] Apache OFBiz information disclosure vulnerability

[Jacopo Cappellato <jacopoc () apache org>]

CVE-2012-1621: Apache OFBiz information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation - Apache OFBiz

======Versions Affected======

Apache OFBiz 10.04 (also known as 10.04.01)

======Description======

Multiple XSS:

XSS 1:
Error messages containing user input returned via ajax requests
weren't being escaped

XSS 2:
Parameter arrays (converted to Lists by OFBiz) weren't being
auto-encoded in freemarker templates.  An attacker could send multiple
parameters sharing the same name where only a single value was
expected, because the value was a List instead of a String rendering
the parameter in freemarker via ${parameter} would bypass OFBiz's
automatic html encoding.

XSS 3:
Requests that used the cms event were susceptible to XSS attacks via
the contentId and mapKey parameters because if the content was found
to be missing an unencoded error message containing the supplied
values was being streamed to the browser.

XSS 4:
Requests that used the experimental Webslinger component were susceptible to XSS attacks

====== Mitigation======

10.04 users should upgrade to 10.04.02

======Credit======

These issues were discovered by Matias Madou (mmadou () hp com) of Fortify/HP Security Research Group

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail