Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-178

Cross site scripting vulnerability in Forum

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Trunk
    • Fix Version/s: Trunk
    • Component/s: ecommerce
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      Currently HTML tags are filtered from forum messages by client side javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is used to filter or change the script), then user can post a forum message containing any HTML code, including <script> tags, e.g. <script>alert('test');</script>

      This is classic cross site scripting problem with all the consequences (e.g. writing scripts to steal active cookies).

      Also, currently a lot is supplied as hidden fields, which probably means that user could change that text. I have not checked that, but as there are fields like dataResourceTypeId, contentTypeId then probably user can create any type of content.
      <input type="hidden" name="VIEW_INDEX"/>
      <input type="hidden" name="threadView"/>
      <input type="hidden" name="forumGroupId"/>
      <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
      <input type="hidden" name="forumId" value="ASK"/>
      <input type="hidden" name="contentName" value="New thread/message/response"/>
      <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
      <input type="hidden" name="ownerContentId" value="ASK"/>
      <input type="hidden" name="contentIdTo" value="10007"/>

      <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jonesde David E. Jones
                Reporter:
                phaethon Eriks Dobelis
              • Votes:
                2 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: