You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Soon Won Park <ar...@gmail.com> on 2012/05/23 21:25:44 UTC
Re: [CVE-2012-1621] Apache OFBiz information disclosure vulnerability
Good afternoon guys!
Do you know how I can make sure that I'm using non-vulnerable version?
According to this email, I need to upgrade from ofbiz 10.04 to
10.04.02. But I'm using the optimized version which have been derived
from Ofbiz 9.x.
And we customized a lot, so I cannot simply upgrade to 10.04.02.
I check the trunk and tag, and it looks like there was lots of changes
b/w 10.04(1060844) and 10.04.02(1326267). So I'm not sure which part I
need to take a look to make sure my version is secured.
Can you give me an idea how I can check my version?
Thank you for reading.
Soon-won
On Sun, Apr 15, 2012 at 9:33 AM, Jacopo Cappellato <ja...@apache.org> wrote:
> CVE-2012-1621: Apache OFBiz information disclosure vulnerability
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation - Apache OFBiz
>
> ======Versions Affected======
>
> Apache OFBiz 10.04 (also known as 10.04.01)
>
> ======Description======
>
> Multiple XSS:
>
> XSS 1:
> Error messages containing user input returned via ajax requests
> weren't being escaped
>
> XSS 2:
> Parameter arrays (converted to Lists by OFBiz) weren't being
> auto-encoded in freemarker templates. An attacker could send multiple
> parameters sharing the same name where only a single value was
> expected, because the value was a List instead of a String rendering
> the parameter in freemarker via ${parameter} would bypass OFBiz's
> automatic html encoding.
>
> XSS 3:
> Requests that used the cms event were susceptible to XSS attacks via
> the contentId and mapKey parameters because if the content was found
> to be missing an unencoded error message containing the supplied
> values was being streamed to the browser.
>
> XSS 4:
> Requests that used the experimental Webslinger component were susceptible to XSS attacks
>
> ====== Mitigation======
>
> 10.04 users should upgrade to 10.04.02
>
> ======Credit======
>
> These issues were discovered by Matias Madou (mmadou@hp.com) of Fortify/HP Security Research Group
Re: [CVE-2012-1621] Apache OFBiz information disclosure vulnerability
Posted by Jacopo Cappellato <ja...@hotwaxmedia.com>.
The bugs have been reported on the 10.04 series and if you are running 09.04 you should not be affected; of course there are good reason to plan for the upgrade to 10.04 because the 09.04 is an old branch and, according with the current release plan, it is now closed:
http://ofbiz.apache.org/download.html
Jacopo
On May 23, 2012, at 9:25 PM, Soon Won Park wrote:
> Good afternoon guys!
>
> Do you know how I can make sure that I'm using non-vulnerable version?
>
> According to this email, I need to upgrade from ofbiz 10.04 to
> 10.04.02. But I'm using the optimized version which have been derived
> from Ofbiz 9.x.
> And we customized a lot, so I cannot simply upgrade to 10.04.02.
>
> I check the trunk and tag, and it looks like there was lots of changes
> b/w 10.04(1060844) and 10.04.02(1326267). So I'm not sure which part I
> need to take a look to make sure my version is secured.
>
> Can you give me an idea how I can check my version?
>
> Thank you for reading.
>
> Soon-won
>
>
> On Sun, Apr 15, 2012 at 9:33 AM, Jacopo Cappellato <ja...@apache.org> wrote:
>> CVE-2012-1621: Apache OFBiz information disclosure vulnerability
>>
>> Severity: Important
>>
>> Vendor:
>> The Apache Software Foundation - Apache OFBiz
>>
>> ======Versions Affected======
>>
>> Apache OFBiz 10.04 (also known as 10.04.01)
>>
>> ======Description======
>>
>> Multiple XSS:
>>
>> XSS 1:
>> Error messages containing user input returned via ajax requests
>> weren't being escaped
>>
>> XSS 2:
>> Parameter arrays (converted to Lists by OFBiz) weren't being
>> auto-encoded in freemarker templates. An attacker could send multiple
>> parameters sharing the same name where only a single value was
>> expected, because the value was a List instead of a String rendering
>> the parameter in freemarker via ${parameter} would bypass OFBiz's
>> automatic html encoding.
>>
>> XSS 3:
>> Requests that used the cms event were susceptible to XSS attacks via
>> the contentId and mapKey parameters because if the content was found
>> to be missing an unencoded error message containing the supplied
>> values was being streamed to the browser.
>>
>> XSS 4:
>> Requests that used the experimental Webslinger component were susceptible to XSS attacks
>>
>> ====== Mitigation======
>>
>> 10.04 users should upgrade to 10.04.02
>>
>> ======Credit======
>>
>> These issues were discovered by Matias Madou (mmadou@hp.com) of Fortify/HP Security Research Group