You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Michele Orru (JIRA)" <ji...@apache.org> on 2009/02/17 15:22:59 UTC
[jira] Created: (OFBIZ-2194) Password visible in URL query string &
hidden parameter (pre/post auth)
Password visible in URL query string & hidden parameter (pre/post auth)
-----------------------------------------------------------------------
Key: OFBIZ-2194
URL: https://issues.apache.org/jira/browse/OFBIZ-2194
Project: OFBiz
Issue Type: Bug
Components: ecommerce
Affects Versions: SVN trunk
Reporter: Michele Orru
Fix For: SVN trunk
When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
--- REQUEST ---
POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
Host: localhost:8443
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
--- RESPONSE ---
[...]
<div id="ecom-header-bar">
<ul id="left-links">
<li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
<li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
<li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
</ul>
<ul id="right-links">
<!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
<li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
<li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
<li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
<li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li>
<li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li>
</ul>
</div>
[...]
Now, that's not son bad: basically is not an exploitable issue.
The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
--- REQUEST ---
POST /ecommerce/control/login HTTP/1.1
Host: localhost:8443
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://localhost:8443/ecommerce/control/login
Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
USERNAME=euronymous&PASSWORD=euronymous666
--- RESPONSE ---
[...]
<div class="screenlet">
<div class="screenlet-header">
<div class="boxhead">Mini-Poll Poll</div>
</div>
<div class="screenlet-body">
<form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
<input type="hidden" name="PASSWORD" value="euronymous666"/>
<input type="hidden" name="USERNAME" value="euronymous"/>
<input type="hidden" name="partyId" value="10010"/>
<input type="hidden" name="surveyId" value="1003"/>
[...]
Have fun
Michele Orrù
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (OFBIZ-2194) Password visible in URL
query string & hidden parameter (pre/post auth)
Posted by "Michele Orru (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674546#action_12674546 ]
euronymous edited comment on OFBIZ-2194 at 2/18/09 1:29 AM:
--------------------------------------------------------------
Hi David
Yes you're right. I'm sorry but I was pen testing a not-so-updated trunk version, prior to your changes with ESAPI integration.
The issue has been correctly fixed. Sorry to "spam" (anyway I did'n find anything relating in jira, so credits are mine ahahaha..joke)
All The Best David
Michele
was (Author: euronymous):
Hi David
Yes you're right. I'm sorry but I was pen testing a not-so-updated trunk version, prior to your changes with ESAPOI integration.
The issue has been correctly fixed. Sorry to "spam" (anyway I did'n find anything relating in jira, so credits are mine ahahaha..joke)
All The Best David
Michele
> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
> Key: OFBIZ-2194
> URL: https://issues.apache.org/jira/browse/OFBIZ-2194
> Project: OFBiz
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Michele Orru
> Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
> <ul id="left-links">
> <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
> <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
> <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
> </ul>
> <ul id="right-links">
> <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
> <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
> <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
> <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
> <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li>
> <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li>
> </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
> <div class="screenlet-header">
> <div class="boxhead">Mini-Poll Poll</div>
> </div>
> <div class="screenlet-body">
> <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>
> <input type="hidden" name="PASSWORD" value="euronymous666"/>
> <input type="hidden" name="USERNAME" value="euronymous"/>
> <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele Orrù
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (OFBIZ-2194) Password visible in URL query string
& hidden parameter (pre/post auth)
Posted by "Michele Orru (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michele Orru resolved OFBIZ-2194.
---------------------------------
Resolution: Fixed
Confirmed fixed in rev. 742352
> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
> Key: OFBIZ-2194
> URL: https://issues.apache.org/jira/browse/OFBIZ-2194
> Project: OFBiz
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Michele Orru
> Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
> <ul id="left-links">
> <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
> <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
> <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
> </ul>
> <ul id="right-links">
> <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
> <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
> <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
> <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
> <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li>
> <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li>
> </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
> <div class="screenlet-header">
> <div class="boxhead">Mini-Poll Poll</div>
> </div>
> <div class="screenlet-body">
> <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>
> <input type="hidden" name="PASSWORD" value="euronymous666"/>
> <input type="hidden" name="USERNAME" value="euronymous"/>
> <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele Orrù
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2194) Password visible in URL query string
& hidden parameter (pre/post auth)
Posted by "Michele Orru (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674546#action_12674546 ]
Michele Orru commented on OFBIZ-2194:
-------------------------------------
Hi David
Yes you're right. I'm sorry but I was pen testing a not-so-updated trunk version, prior to your changes with ESAPOI integration.
The issue has been correctly fixed. Sorry to "spam" (anyway I did'n find anything relating in jira, so credits are mine ahahaha..joke)
All The Best David
Michele
> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
> Key: OFBIZ-2194
> URL: https://issues.apache.org/jira/browse/OFBIZ-2194
> Project: OFBiz
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Michele Orru
> Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
> <ul id="left-links">
> <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
> <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
> <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
> </ul>
> <ul id="right-links">
> <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
> <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
> <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
> <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
> <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li>
> <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li>
> </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
> <div class="screenlet-header">
> <div class="boxhead">Mini-Poll Poll</div>
> </div>
> <div class="screenlet-body">
> <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>
> <input type="hidden" name="PASSWORD" value="euronymous666"/>
> <input type="hidden" name="USERNAME" value="euronymous"/>
> <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele Orrù
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (OFBIZ-2194) Password visible in URL
query string & hidden parameter (pre/post auth)
Posted by "Michele Orru (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674547#action_12674547 ]
euronymous edited comment on OFBIZ-2194 at 2/18/09 1:35 AM:
--------------------------------------------------------------
Confirmed fixed in rev. 742352
Credits to David E. Jones (not to me :) )
was (Author: euronymous):
Confirmed fixed in rev. 742352
> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
> Key: OFBIZ-2194
> URL: https://issues.apache.org/jira/browse/OFBIZ-2194
> Project: OFBiz
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Michele Orru
> Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
> <ul id="left-links">
> <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
> <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
> <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
> </ul>
> <ul id="right-links">
> <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
> <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
> <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
> <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
> <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li>
> <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li>
> </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
> <div class="screenlet-header">
> <div class="boxhead">Mini-Poll Poll</div>
> </div>
> <div class="screenlet-body">
> <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>
> <input type="hidden" name="PASSWORD" value="euronymous666"/>
> <input type="hidden" name="USERNAME" value="euronymous"/>
> <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele Orrù
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (OFBIZ-2194) Password visible in URL query string &
hidden parameter (pre/post auth)
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-2194.
----------------------------------
Assignee: David E. Jones
> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
> Key: OFBIZ-2194
> URL: https://issues.apache.org/jira/browse/OFBIZ-2194
> Project: OFBiz
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Michele Orru
> Assignee: David E. Jones
> Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
> <ul id="left-links">
> <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
> <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
> <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
> </ul>
> <ul id="right-links">
> <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
> <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
> <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
> <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
> <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li>
> <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li>
> </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
> <div class="screenlet-header">
> <div class="boxhead">Mini-Poll Poll</div>
> </div>
> <div class="screenlet-body">
> <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>
> <input type="hidden" name="PASSWORD" value="euronymous666"/>
> <input type="hidden" name="USERNAME" value="euronymous"/>
> <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele Orrù
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2194) Password visible in URL query string
& hidden parameter (pre/post auth)
Posted by "David E. Jones (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674406#action_12674406 ]
David E. Jones commented on OFBIZ-2194:
---------------------------------------
Thanks for reporting this Michele.
Which revision of OFBiz are you testing this on?
This was a known problem (form fields ending up in the URL for post-login use, including login form fields if you click on things in the right order) that was fixed about two weeks ago as part of my rewriting some of the messy parts of the RequestHandler (part of the ControlServlet) and the parameter handling for post-login forwarding (which is now done as actual forwarding).
Could you test this with the latest trunk? The issue should be resolved...
> Password visible in URL query string & hidden parameter (pre/post auth)
> -----------------------------------------------------------------------
>
> Key: OFBIZ-2194
> URL: https://issues.apache.org/jira/browse/OFBIZ-2194
> Project: OFBiz
> Issue Type: Bug
> Components: ecommerce
> Affects Versions: SVN trunk
> Reporter: Michele Orru
> Fix For: SVN trunk
>
>
> When logging-in to the ecommerce application, if we send a POST request to the login URI appositely wronging the user/passwd pair,
> the application responds embedding in the HTML the link to which we sent our request, plus USERNAME/PASSWORD parameters (with respective values):
> --- REQUEST ---
> POST /ecommerce/control/login?nodeTrailCsv=CNTGIZMOS%2CCNTGIZMOSSML&contentId=CNTGIZMOS HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/checkLogin/showcontenttree?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&contentId=CNTGIZMOS
> Cookie: JSESSIONID=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf
> --- RESPONSE ---
> [...]
> <div id="ecom-header-bar">
> <ul id="left-links">
> <li id="header-bar-login"><a href="/ecommerce/control/checkLogin/login?nodeTrailCsv=CNTGIZMOS,CNTGIZMOSSML&USERNAME=DemoSalesManager&PASSWORD=ssfsfafaf&contentId=CNTGIZMOS">Login</a></li>
> <li id="header-bar-contactus"><a href="/ecommerce/control/contactus">Contact Us</a></li>
> <li id="header-bar-main"><a href="http://localhost:8080/ecommerce/control/main;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Main</a></li>
> </ul>
> <ul id="right-links">
> <!-- NOTE: these are in reverse order because they are stacked right to left instead of left to right -->
> <li id="header-bar-viewprofile"><a href="/ecommerce/control/viewprofile">Profile</a></li>
> <li id="header-bar-ListQuotes"><a href="/ecommerce/control/ListQuotes">Quotes</a></li>
> <li id="header-bar-ListRequests"><a href="/ecommerce/control/ListRequests">Requests</a></li>
> <li id="header-bar-editShoppingList"><a href="http://localhost:8080/ecommerce/control/editShoppingList;jsessionid=80B8CE9A5E8646598E5D3C5282E7ECE4.jvm1">Shopping Lists</a></li>
> <li id="header-bar-orderhistory"><a href="/ecommerce/control/orderhistory">Order History</a></li>
> </ul>
> </div>
> [...]
> Now, that's not son bad: basically is not an exploitable issue.
> The serious point is that if we Log-in with valid credentials, the HTML page that will be rendered after the successful login will containt an hidden parameter with our password, that can be easily grabbed thanks to XSS that are still present almost everywhere in the ecommerce application.
> --- REQUEST ---
> POST /ecommerce/control/login HTTP/1.1
> Host: localhost:8443
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2009010711 Gentoo Firefox/3.0.5
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://localhost:8443/ecommerce/control/login
> Cookie: JSESSIONID=9C59446F41F85A7A86A5DFC6BC75ABC2.jvm1; deadfishcatalog.autoUserLoginId=deadfish; webtools.autoUserLoginId=admin; OFBiz.Visitor=10000; crmsfa.autoUserLoginId=admin; warehouse.autoUserLoginId=lucio; catalog.autoUserLoginId=lucio; ecommerce.autoUserLoginId=euronymous
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 41
> USERNAME=euronymous&PASSWORD=euronymous666
> --- RESPONSE ---
> [...]
> <div class="screenlet">
> <div class="screenlet-header">
> <div class="boxhead">Mini-Poll Poll</div>
> </div>
> <div class="screenlet-body">
> <form method="post" action="http://localhost:8080/ecommerce/control/minipoll/main;jsessionid=72CA238BC8183F96FB25B6405E66500F.jvm1" style="margin: 0;">
>
> <input type="hidden" name="PASSWORD" value="euronymous666"/>
> <input type="hidden" name="USERNAME" value="euronymous"/>
> <input type="hidden" name="partyId" value="10010"/>
> <input type="hidden" name="surveyId" value="1003"/>
> [...]
> Have fun
> Michele Orrù
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.