Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-2121

XSS vulnerability in eCommerce/ordermgr

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: Trunk
    • Fix Version/s: None
    • Component/s: order
    • Labels:
      None

      Description

      Any HTML/Javascript that is placed within the fields "shipping_instructions" or "gift_message" (possibly other fields too) when making a new order in eCommerce is executed in the ordermgr module when the order is displayed. For example, using this HTML code

      <iframe
      src="http://ofbiz.apache.org/"
      style="position:absolute;
      top:0;left:0; border:0px
      #FFFFFF none;" name="myframe"
      marginheight="0px"
      marginwidth="0px" height="768"
      width="1024"></iframe>

      an iframe is displayed with the OFBiz project home page. Now suppose the iframe actually displays a faked OFBiz login page or anything like this (the possibilities are endless...).

      Is there any reason why the FTL escape directives are not used (in this case in orderheader.ftl) to encode content properly using for example something like this:

      <#escape x as x?html>
      First name: ${firstName}
      Last name: ${lastName}
      Maiden name: ${maidenName}
      </#escape>

      (See http://freemarker.org/docs/ref_directive_escape.html for details)

      I know there were some other Jira issues about similar problems, but I didn't see any current effort to fix these things.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                phho Philipp Hoppen
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: