Vulnwatch mailing list archives
XSS vulnerability in OFBIZ forum
From: Ēriks <eriks00 () moon lv>
Date: Fri, 8 Dec 2006 17:35:36 +0200 (EET)
Open source ERP and e-commerce package OFBIZ has an XSS vulnerability in the forum functionality. This was initially posted on Ofbiz JIRA issue tracking system (https://issues.apache.org/jira/browse/OFBIZ-178) on 22/Aug/06. I last verified it in revision 469895 (1/Nov/06), and it was still present. As far as I know (and from activity on JIRA) nothing has changed. Repeating the vulnerability is straight forward: 1) Install OFBIZ; 2) Disable JavaScript in browser; 3) Log in and browse to forum (with default install you will see Browse Forums/Gizmos on the left side); 4) Post a message like <script>alert('XSS vulnerability test');</script> 5) Enable JavaScript; So if you are a customer going to some vendor's OFBIZ site, don't go to Forums section as you might be affected (if your JavaScript is enabled). If you are using OFBIZ for your e-commerce site, disable all forum functionality until the vulnerability is fixed. Ēriks Dobelis http://www.biti.lv/
Current thread:
- XSS vulnerability in OFBIZ forum Ēriks (Dec 11)