You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Philipp Hoppen (JIRA)" <ji...@apache.org> on 2009/01/13 13:26:15 UTC
[jira] Created: (OFBIZ-2121) XSS vulnerability in
eCommerce/ordermgr
XSS vulnerability in eCommerce/ordermgr
---------------------------------------
Key: OFBIZ-2121
URL: https://issues.apache.org/jira/browse/OFBIZ-2121
Project: OFBiz
Issue Type: Bug
Components: order
Affects Versions: SVN trunk
Reporter: Philipp Hoppen
Any HTML/Javascript that is placed within the fields "shipping_instructions" or "gift_message" (possibly other fields too) when making a new order in eCommerce is executed in the ordermgr module when the order is displayed. For example, using this HTML code
<iframe
src="http://ofbiz.apache.org/"
style="position:absolute;
top:0;left:0; border:0px
#FFFFFF none;" name="myframe"
marginheight="0px"
marginwidth="0px" height="768"
width="1024"></iframe>
an iframe is displayed with the OFBiz project home page. Now suppose the iframe actually displays a faked OFBiz login page or anything like this (the possibilities are endless...).
Is there any reason why the FTL escape directives are not used (in this case in orderheader.ftl) to encode content properly using for example something like this:
<#escape x as x?html>
First name: ${firstName}
Last name: ${lastName}
Maiden name: ${maidenName}
</#escape>
(See http://freemarker.org/docs/ref_directive_escape.html for details)
I know there were some other Jira issues about similar problems, but I didn't see any current effort to fix these things.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (OFBIZ-2121) XSS vulnerability in eCommerce/ordermgr
Posted by "Adrian Crum (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2121?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Adrian Crum closed OFBIZ-2121.
------------------------------
Resolution: Duplicate
If anyone has anything to contribute, they can contribute it using one of the existing Jira issues.
> XSS vulnerability in eCommerce/ordermgr
> ---------------------------------------
>
> Key: OFBIZ-2121
> URL: https://issues.apache.org/jira/browse/OFBIZ-2121
> Project: OFBiz
> Issue Type: Bug
> Components: order
> Affects Versions: SVN trunk
> Reporter: Philipp Hoppen
>
> Any HTML/Javascript that is placed within the fields "shipping_instructions" or "gift_message" (possibly other fields too) when making a new order in eCommerce is executed in the ordermgr module when the order is displayed. For example, using this HTML code
> <iframe
> src="http://ofbiz.apache.org/"
> style="position:absolute;
> top:0;left:0; border:0px
> #FFFFFF none;" name="myframe"
> marginheight="0px"
> marginwidth="0px" height="768"
> width="1024"></iframe>
> an iframe is displayed with the OFBiz project home page. Now suppose the iframe actually displays a faked OFBiz login page or anything like this (the possibilities are endless...).
> Is there any reason why the FTL escape directives are not used (in this case in orderheader.ftl) to encode content properly using for example something like this:
> <#escape x as x?html>
> First name: ${firstName}
> Last name: ${lastName}
> Maiden name: ${maidenName}
> </#escape>
> (See http://freemarker.org/docs/ref_directive_escape.html for details)
> I know there were some other Jira issues about similar problems, but I didn't see any current effort to fix these things.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.