Open source ERP and e-commerce package OFBIZ has an XSS vulnerability in
the forum functionality. This was initially posted on Ofbiz JIRA issue
tracking system (https://issues.apache.org/jira/browse/OFBIZ-178) on
22/Aug/06.
I last verified it in revision 469895 (1/Nov/06), and it was still
present. As far as I know (and from activity on JIRA) nothing has changed.
Repeating the vulnerability is straight forward:
1) Install OFBIZ;
2) Disable JavaScript in browser;
3) Log in and browse to forum (with default install you will see Browse
Forums/Gizmos on the left side);
4) Post a message like <script>alert('XSS vulnerability test');</script>
5) Enable JavaScript;
So if you are a customer going to some vendor's OFBIZ site, don't go to
Forums section as you might be affected (if your JavaScript is enabled).
If you are using OFBIZ for your e-commerce site, disable all forum
functionality until the vulnerability is fixed.
Ēriks Dobelis
http://www.biti.lv/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Dec 09 2006
Intro
