You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by "Eriks Dobelis (JIRA)" <ji...@apache.org> on 2006/08/23 08:57:14 UTC

[jira] Created: (OFBIZ-178) Cross site scripting vulnerability in Forum

Cross site scripting vulnerability in Forum
-------------------------------------------

                 Key: OFBIZ-178
                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
             Project: OFBiz (The Open for Business Project)
          Issue Type: Bug
          Components: ecommerce
            Reporter: Eriks Dobelis


Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>

This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).

Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
<input type="hidden" name="VIEW_INDEX"/>
<input type="hidden" name="threadView"/>
<input type="hidden" name="forumGroupId"/>
<input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
<input type="hidden" name="forumId" value="ASK"/>
<input type="hidden" name="contentName" value="New thread/message/response"/>
<input type="hidden" name="contentTypeId" value="DOCUMENT"/>
<input type="hidden" name="ownerContentId" value="ASK"/>
<input type="hidden" name="contentIdTo" value="10007"/>

<input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Jacopo Cappellato (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430000 ] 
            
Jacopo Cappellato commented on OFBIZ-178:
-----------------------------------------

I'm not an expert in this area but maybe others could give some good advices: however it would be nice to see some fixes and security improvements in the forum stuff.



> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Si Chen (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430286 ] 
            
Si Chen commented on OFBIZ-178:
-------------------------------

Erik,

I think then the filtering of HTML should be something to be fixed in whizzywyg.js and contributed back to them and then brought back into ofbiz.  Maybe you should write them?

I disagree with you about "the most clean approach would be to send to the client side only session ID (in cookie or hidden field) and to store all other data on the server side".  I think the approach most consistent with the way ofbiz works would be to create a special service for managing forum postings which reuses the existing content services but with those fields embedded in them.  The content manager services are fairly generic and probably meant to be used as foundation or building blocks for actual applications rather than directly hidden on html forms like this.

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430313 ] 
            
Jacques Le Roux commented on OFBIZ-178:
---------------------------------------

Mmm, this was a problem with hsql, it's all right with PostGres. I like to work with hsql for its speed, but I think I will return to PostGres...

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Si Chen (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430116 ] 
            
Si Chen commented on OFBIZ-178:
-------------------------------

Eric,

I see how it could be a problem -- so you're saying I could turn off my javascript, insert some malicious script, and then everybody else who comes to the forum screen later could then have their sessionId, etc. stolen by my JavaScript for session hijacking?

How should we solve it then?  We still need to use JS for the forum screens, as I'm sure a lot of websites do.  Do you have any suggestions, or better still--a patch? :)

The issue of the fields -- yes I agree, it's not very nice.  There should be a wrapper field which sets all of these so that the amount in the HTML page should be kept to a minimum.

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12429994 ] 
            
Jacques Le Roux commented on OFBIZ-178:
---------------------------------------

Eriks,

The js file is actually whizzywig.js.

Using last svn, I tried to load a forum from eCommerce 1st page and I got this message :

org.ofbiz.base.util.GeneralException: Error rendering screen [component://ecommerce/widget/ForumScreens.xml#Showforum]: java.lang.IllegalArgumentException: Error calling service with name performFindList: org.ofbiz.service.ServiceValidationException: The following required parameter is missing: [performFindList.listSize] (Error calling service with name performFindList: org.ofbiz.service.ServiceValidationException: The following required parameter is missing: [performFindList.listSize])

Please as I don't really need forums for now, might you take a look at this pb before ?

TIA

Jacques

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430241 ] 
            
Jacques Le Roux commented on OFBIZ-178:
---------------------------------------

Erik,

I tried with last svn (at this moment) but had not updated the data indeed. I just tried with data updated (ant run-install) and I get the same error. Strange because listSize is an "OUT" optionnal="false" parameter of performFindList and is present after the call of performFindList  in ForumScreens.xml. Will see later...

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Si Chen (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430332 ] 
            
Si Chen commented on OFBIZ-178:
-------------------------------

So are you saying that createDataResource or whatever it is that is storing the html content should filter out script tags?

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Eriks Dobelis (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430290 ] 
            
Eriks Dobelis commented on OFBIZ-178:
-------------------------------------

Si,

It cannot be fixed in whizzywyg.js (it does correct filtering already now), because when JavaScript is turned off in the browser whizzywyg is not used at all. It has to be done on server side, because all client side controls can be easily manipulated by malitous user.

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Eriks Dobelis (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430168 ] 
            
Eriks Dobelis commented on OFBIZ-178:
-------------------------------------

Jacque, are you using latest version with demo data?

Si, HTML text coming from the client should be checked to contain only those HTML tags which should be explicitely allowed (e.g. <strong> is one such tag). In all the other tags symbols like <, >, ', " should be for security reasons changed to their HTML representaion (&lt; &gt). Basically the same operations that whizzywig.js does on the client side regarding symbol filtering should be performed also on the server side.

Regarding hidden fields, the most clean approach would be to send to the client side only session ID (in cookie or hidden field) and to store all other data on the server side. Otherwise, the effect of manipulating all the hidden field values should be analyzed. If those are values which the client should be able to change then it is ok, but I am quite sure that client should not be able to change values of dataResourceTypeId, contentTypeId.

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430307 ] 
            
Jacques Le Roux commented on OFBIZ-178:
---------------------------------------

I even tried after an ant clean-data (I use hsql) same error, will with an ant clean-all (but it seems useless).

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Assigned: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.

     [ http://issues.apache.org/jira/browse/OFBIZ-178?page=all ]

Jacques Le Roux reassigned OFBIZ-178:
-------------------------------------

    Assignee: Jacques Le Roux

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>         Assigned To: Jacques Le Roux
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12438168 ] 
            
Jacques Le Roux commented on OFBIZ-178:
---------------------------------------

Please see my comments in OFBIZ-260

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>         Assigned To: Jacques Le Roux
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430341 ] 
            
Jacques Le Roux commented on OFBIZ-178:
---------------------------------------

Eriks,

I agree that this has to be corrected from the server side and I vote for this issue.

Si,

Yes I think that this is the place where it might go. If I have well understand that means converting some parts of the code of whizzywig.js. into java and put it in DataServices.createDataResourceMethod. Are you ready do to that work Eriks ?

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira