Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-2747

Security : The remote web server is prone to cross-site scripting attacks.



    • Sprint:
      Bug Crush Event - 21/2/2015


      The pollbox seems to be subjet to request argument injection, without any strip of html tags (ex : <script>).

      Nessus scan log :

      Web Server Generic XSS

      Synopsis :

      The remote web server is prone to cross-site scripting attacks.

      Description :

      The remote host is running a web server that fails to adequately
      sanitize request strings of malicious JavaScript. By leveraging this
      issue, an attacker may be able to cause arbitrary HTML and script code
      to be executed in a user's browser within the security context of the
      affected site.

      See also :


      Solution :

      Contact the vendor for a patch or upgrade.

      Risk factor :

      Medium / CVSS Base Score : 4.3

      Plugin output :

      The request string used to detect this flaw was :


      The output was :

      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      X-Powered-By: JSP/2.1
      Set-Cookie: OFBiz.Visitor=12065; Expires=Wed, 21-Jul-2010 21:31:20 GMT; Path=/
      Content-Type: text/html;charset=UTF-8
      Transfer-Encoding: chunked
      Date: Tue, 21 Jul 2009 21:31:19 GMT

      <h3>Mouse Hand Poll</h3>
      <div class="screenlet-body">
      <form method="post" action="/control/minipoll/main" style="margin: 0;">
      <input type="hidden" name="<script>cross_site_scripting.nasl</script>" value=""/>
      <input type="hidden" name="surveyId" value="1004"/>
      <table width="100%" border="0" cellpadding="2" cellspacing="0">

      CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681
      BID : 5305, 7344, 7353, 8037, 14473, 17408
      Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314

      Nessus ID : 10815




            • Assignee:
              lektran Scott Gray
              scaroo Alexandre Mazari
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: