You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2009/02/14 08:39:59 UTC

[jira] Closed: (OFBIZ-178) Cross site scripting vulnerability in Forum

     [ https://issues.apache.org/jira/browse/OFBIZ-178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-178.
---------------------------------

    Resolution: Fixed
      Assignee: David E. Jones  (was: Jacques Le Roux)

Fixed by recent security efforts (though the message is not clear when trying to inject in forum body, title is ok (std input field vs content field)

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: SVN trunk
>            Reporter: Eriks Dobelis
>            Assignee: David E. Jones
>             Fix For: SVN trunk
>
>
> Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.