You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Michele Orru (JIRA)" <ji...@apache.org> on 2009/02/18 10:35:13 UTC
[jira] Resolved: (OFBIZ-2194) Password visible in URL query string
& hidden parameter (pre/post auth)
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michele Orru resolved OFBIZ-2194.
---------------------------------
Resolution: Fixed
Confirmed fixed in rev. 742352
> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
> Key: OFBIZ-2194
> URL: https://issues.apache.org/jira/browse/OFBIZ-2194
> Project: OFBiz
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Michele Orru
> Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
> <ul id="left-links">
> <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
> <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
> <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
> </ul>
> <ul id="right-links">
> <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
> <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
> <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
> <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
> <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li>
> <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li>
> </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
> <div class="screenlet-header">
> <div class="boxhead">Mini-Poll Poll</div>
> </div>
> <div class="screenlet-body">
> <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>
> <input type="hidden" name="PASSWORD" value="euronymous666"/>
> <input type="hidden" name="USERNAME" value="euronymous"/>
> <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele OrrĂ¹
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.