Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

(no subject)

From: Ēriks <eriks00 () moon lv>
Date: Sat, 9 Dec 2006 15:01:04 +0200 (EET)
Open source ERP and e-commerce package OFBIZ has an XSS vulnerability in
the forum functionality. This was initially posted on Ofbiz JIRA issue
tracking system (https://issues.apache.org/jira/browse/OFBIZ-178) on
22/Aug/06.

I last verified it in revision 469895 (1/Nov/06), and it was still
present. As far as I know (and from activity on JIRA) nothing has changed.

Repeating the vulnerability is straight forward:
1) Install OFBIZ;
2) Disable JavaScript in browser;
3) Log in and browse to forum (with default install you will see Browse
Forums/Gizmos on the left side);
4) Post a message like <script>alert('XSS vulnerability test');</script>
5) Enable JavaScript;

So if you are a customer going to some vendor's OFBIZ site, don't go to
Forums section as you might be affected (if your JavaScript is enabled).
If you are using OFBIZ for your e-commerce site, disable all forum
functionality until the vulnerability is fixed.

Ēriks Dobelis
http://www.biti.lv/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: