[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VulnWatch] XSS vulnerability in OFBIZ forum

To: vulnwatch@xxxxxxxxxxxxx
Subject: [VulnWatch] XSS vulnerability in OFBIZ forum
From: Ēriks <eriks00@xxxxxxx>
Date: Fri, 8 Dec 2006 17:35:36 +0200 (EET)

Open source ERP and e-commerce package OFBIZ has an XSS vulnerability in
the forum functionality. This was initially posted on Ofbiz JIRA issue
tracking system (https://issues.apache.org/jira/browse/OFBIZ-178) on
22/Aug/06.

I last verified it in revision 469895 (1/Nov/06), and it was still
present. As far as I know (and from activity on JIRA) nothing has changed.

Repeating the vulnerability is straight forward:
1) Install OFBIZ;
2) Disable JavaScript in browser;
3) Log in and browse to forum (with default install you will see Browse
Forums/Gizmos on the left side);
4) Post a message like <script>alert('XSS vulnerability test');</script>
5) Enable JavaScript;

So if you are a customer going to some vendor's OFBIZ site, don't go to
Forums section as you might be affected (if your JavaScript is enabled).
If you are using OFBIZ for your e-commerce site, disable all forum
functionality until the vulnerability is fixed.

Ēriks Dobelis
http://www.biti.lv/

Prev by Date: [VulnWatch] Orkut Multiple Cross Site Scripting Vulnerabilities
Next by Date: [VulnWatch] iDefense Security Advisory 12.08.06: Multiple Vendor Antivirus RAR File Denial of Service Vulnerability
Previous by thread: [VulnWatch] Orkut Multiple Cross Site Scripting Vulnerabilities
Next by thread: [VulnWatch] iDefense Security Advisory 12.08.06: Multiple Vendor Antivirus RAR File Denial of Service Vulnerability
Index(es):
- Date
- Thread