[CVE-2012-1621] Apache OFBiz information disclosure vulnerability

[Jacopo Cappellato <ja...@apache.org>]

CVE-2012-1621: Apache OFBiz information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation - Apache OFBiz

======Versions Affected======

Apache OFBiz 10.04 (also known as 10.04.01)

======Description======

Multiple XSS:

XSS 1:
Error messages containing user input returned via ajax requests
weren't being escaped

XSS 2:
Parameter arrays (converted to Lists by OFBiz) weren't being
auto-encoded in freemarker templates.  An attacker could send multiple
parameters sharing the same name where only a single value was
expected, because the value was a List instead of a String rendering
the parameter in freemarker via ${parameter} would bypass OFBiz's
automatic html encoding.

XSS 3:
Requests that used the cms event were susceptible to XSS attacks via
the contentId and mapKey parameters because if the content was found
to be missing an unencoded error message containing the supplied
values was being streamed to the browser.

XSS 4:
Requests that used the experimental Webslinger component were susceptible to XSS attacks

====== Mitigation======

10.04 users should upgrade to 10.04.02

======Credit======

These issues were discovered by Matias Madou (mmadou@hp.com) of Fortify/HP Security Research Group

Re: [CVE-2012-1621] Apache OFBiz information disclosure vulnerability

[Jacopo Cappellato <ja...@hotwaxmedia.com>]

The bugs have been reported on the 10.04 series and if you are running 09.04 you should not be affected; of course there are good reason to plan for the upgrade to 10.04 because the 09.04 is an old branch and, according with the current release plan, it is now closed:

http://ofbiz.apache.org/download.html

Jacopo

On May 23, 2012, at 9:25 PM, Soon Won Park wrote:

> Good afternoon guys!
> 
> Do you know how I can make sure that I'm using non-vulnerable version?
> 
> According to this email, I need to upgrade from ofbiz 10.04 to
> 10.04.02. But I'm using the optimized version which have been derived
> from Ofbiz 9.x.
> And we customized a lot, so I cannot simply upgrade to 10.04.02.
> 
> I check the trunk and tag, and it looks like there was lots of changes
> b/w 10.04(1060844) and 10.04.02(1326267). So I'm not sure which part I
> need to take a look to make sure my version is secured.
> 
> Can you give me an idea how I can check my version?
> 
> Thank you for reading.
> 
> Soon-won
> 
> 
> On Sun, Apr 15, 2012 at 9:33 AM, Jacopo Cappellato <ja...@apache.org> wrote:
>> CVE-2012-1621: Apache OFBiz information disclosure vulnerability
>> 
>> Severity: Important
>> 
>> Vendor:
>> The Apache Software Foundation - Apache OFBiz
>> 
>> ======Versions Affected======
>> 
>> Apache OFBiz 10.04 (also known as 10.04.01)
>> 
>> ======Description======
>> 
>> Multiple XSS:
>> 
>> XSS 1:
>> Error messages containing user input returned via ajax requests
>> weren't being escaped
>> 
>> XSS 2:
>> Parameter arrays (converted to Lists by OFBiz) weren't being
>> auto-encoded in freemarker templates.  An attacker could send multiple
>> parameters sharing the same name where only a single value was
>> expected, because the value was a List instead of a String rendering
>> the parameter in freemarker via ${parameter} would bypass OFBiz's
>> automatic html encoding.
>> 
>> XSS 3:
>> Requests that used the cms event were susceptible to XSS attacks via
>> the contentId and mapKey parameters because if the content was found
>> to be missing an unencoded error message containing the supplied
>> values was being streamed to the browser.
>> 
>> XSS 4:
>> Requests that used the experimental Webslinger component were susceptible to XSS attacks
>> 
>> ====== Mitigation======
>> 
>> 10.04 users should upgrade to 10.04.02
>> 
>> ======Credit======
>> 
>> These issues were discovered by Matias Madou (mmadou@hp.com) of Fortify/HP Security Research Group

Re: [CVE-2012-1621] Apache OFBiz information disclosure vulnerability

[Soon Won Park <ar...@gmail.com>]

Good afternoon guys!

Do you know how I can make sure that I'm using non-vulnerable version?

According to this email, I need to upgrade from ofbiz 10.04 to
10.04.02. But I'm using the optimized version which have been derived
from Ofbiz 9.x.
And we customized a lot, so I cannot simply upgrade to 10.04.02.

I check the trunk and tag, and it looks like there was lots of changes
b/w 10.04(1060844) and 10.04.02(1326267). So I'm not sure which part I
need to take a look to make sure my version is secured.

Can you give me an idea how I can check my version?

Thank you for reading.

Soon-won


On Sun, Apr 15, 2012 at 9:33 AM, Jacopo Cappellato <ja...@apache.org> wrote:
> CVE-2012-1621: Apache OFBiz information disclosure vulnerability
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation - Apache OFBiz
>
> ======Versions Affected======
>
> Apache OFBiz 10.04 (also known as 10.04.01)
>
> ======Description======
>
> Multiple XSS:
>
> XSS 1:
> Error messages containing user input returned via ajax requests
> weren't being escaped
>
> XSS 2:
> Parameter arrays (converted to Lists by OFBiz) weren't being
> auto-encoded in freemarker templates.  An attacker could send multiple
> parameters sharing the same name where only a single value was
> expected, because the value was a List instead of a String rendering
> the parameter in freemarker via ${parameter} would bypass OFBiz's
> automatic html encoding.
>
> XSS 3:
> Requests that used the cms event were susceptible to XSS attacks via
> the contentId and mapKey parameters because if the content was found
> to be missing an unencoded error message containing the supplied
> values was being streamed to the browser.
>
> XSS 4:
> Requests that used the experimental Webslinger component were susceptible to XSS attacks
>
> ====== Mitigation======
>
> 10.04 users should upgrade to 10.04.02
>
> ======Credit======
>
> These issues were discovered by Matias Madou (mmadou@hp.com) of Fortify/HP Security Research Group