Full Disclosure mailing list archives
(no subject)
From: Ēriks <eriks00 () moon lv>
Date: Sat, 9 Dec 2006 15:01:04 +0200 (EET)
Open source ERP and e-commerce package OFBIZ has an XSS vulnerability in the forum functionality. This was initially posted on Ofbiz JIRA issue tracking system (https://issues.apache.org/jira/browse/OFBIZ-178) on 22/Aug/06. I last verified it in revision 469895 (1/Nov/06), and it was still present. As far as I know (and from activity on JIRA) nothing has changed. Repeating the vulnerability is straight forward: 1) Install OFBIZ; 2) Disable JavaScript in browser; 3) Log in and browse to forum (with default install you will see Browse Forums/Gizmos on the left side); 4) Post a message like <script>alert('XSS vulnerability test');</script> 5) Enable JavaScript; So if you are a customer going to some vendor's OFBIZ site, don't go to Forums section as you might be affected (if your JavaScript is enabled). If you are using OFBIZ for your e-commerce site, disable all forum functionality until the vulnerability is fixed. Ēriks Dobelis http://www.biti.lv/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- (no subject) Ēriks (Dec 09)
- <Possible follow-ups>
- (no subject) jamella (Dec 16)