|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/
Multiple XSS in Apache OFBiz
1. *Advisory Information*
Title: Multiple XSS in Apache OFBiz
Advisory ID: BONSAI-2010-0103
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php
Date published: 2010-04-14
Vendors contacted: Apache Software Foundation
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2010-0432
3. *Software Description*
Apache Open For Business (Apache OFBiz) is a community-driven
Open Source Enterprise Resource Planning (ERP) system.
It provides a suite of enterprise applications that integrate
and automate many of the business processes of an enterprise.
Apache OFBiz is a foundation and starting point for reliable,
secure and scalable enterprise solutions.
OFBiz is an Apache Software Foundation top level project.
4. *Vulnerability Description*
Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web sites.
Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed are
quite widespread and occur anywhere a web application uses input from a user
in the output it generates without validating or encoding it.
This vulnerability can be exploited to force a logged in Administrator
to run arbitrary SQL commands [3] or create a new user with Full Privileges [4].
You can find customized XSS PoC payloads here.
For additional information and a demostrative video, please read [1] and [2].
5. *Vulnerable packages*
Apache OFBiz:
- Stable Version <= 9.04
- SVN Revision <= 920371
- Release Branch Candidate 4.0 Revision <= 920381
Products based on Apache OFBiz:
- Opentaps Version <= 1.4
- Neogia Version <= 1.0
- Entente Oya Version <= 1.6
Since there are more products based on Apache OFBiz, these vulnerabilities resides
in some of them but unconfirmed. Check [2] for updates.
6. *Mitigation*
SVN Trunk users should update to at least revision 920372
from svn or apply the following patches [5].
Release Branch Candidate 09.04 should update to at least revision 920382
from svn or applythe following patches [6].
Apache Software Foundation developers informed us that all users should
upgrade to the latest version of Apache OFBiz, which fixes this vulnerability.
More information to be found here:
http://ofbiz.apache.org
7. *Credits*
These vulnerabilities were discovered by Lucas Apa ( lucas -at- bonsai-sec.com ).
8. *Technical Description*
8.1 A Reflected Cross Site Scripting vulnerability was found in the
"productStoreId" variable within the 'Export Product Listing' section.
When rendering menu widget item links of type hidden-form, the hidden
input value attributes were not being html encoded. In many cases these
hidden input values are derived from request parameters and could be used
in a Reflected Cross-Site Scripting attack.
For a page that contains a menu widget with the following menu item definition: