Apache OFBiz remote code execution vulnerability with unknown details

Release date: 2012-04-16
Updated on: 2012-04-17

Affected Systems:
Apache Group OfBiz 10.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53025
Cve id: CVE-2012-1622

Apache Open For Business (Apache OFBiz) is an Open-source ERP system.

Apache OFBiz has a security vulnerability. Remote attackers can exploit this vulnerability to execute cross-site scripting attacks and control the vulnerability system.

1) The "getServerError ()" function input of checkoutProcess. js is not properly filtered before being returned to the user, and arbitrary HTML and script code can be executed;

2) some inputs passed as parameter arrays are not properly filtered and are returned to users. attackers can execute arbitrary HTML and script code in users' browser sessions.

3) Some inputs related to the content ID and ing key are not properly filtered, that is, they are returned to the user and can be used to execute arbitrary HTML and script code.

4) Some inputs passed to the Webslinger component are not properly filtered and are returned to the user. attackers can execute arbitrary HTML and script code in the user's browser session.

5) when processing strings with nested scripts, the FlexibleStringExpander class has an error and can be used to execute arbitrary code.

<* Source: jacpo Cappellato

Link: http://secunia.com/advisories/48800/
Http://seclists.org/fulldisclosure/2012/Apr/171
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://httpd.apache.org/