-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-001 Product: Apache OFBiz Manufacturer: The Apache Software Foundation Affected Version(s): OFBiz 16.11.01 to 16.11.07 Tested Version(s): 16.11.06 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2020-01-13 Solution Date: 2020-03-06 Public Disclosure: 2020-03-31 CVE Reference: CVE-2020-1943 Author of Advisory: Dr. Timon Funck, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Apache OFBiz is an open source enterprise resource planning (ERP) system. The manufacturer describes the product as follows (see [1]): Apache OFBiz is a suite of business applications flexible enough to be used across any industry. A common architecture allows developers to easily extend or enhance it to create custom features. Due to a missing input sanitation, it is vulnerable to reflected cross-site scripting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The API function "/control/stream" uses the variable "contentId". Data sent with "contentId" is not being sanitized. This allows any attacker to create links with injected scripts. This seems to work on all modules like "accounting", "ap", "ecommerce", "catalog" etc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Use the URL: "https:///ap/control/stream?contentId=" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to 17.12.01 or manually apply the commits at OFBIZ-10753 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-12-18: Vulnerability discovered 2020-01-13: Vulnerability reported to manufacturer 2020-03-06: Patch released by manufacturer 2020-03-31: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Apache OFBiz https://ofbiz.apache.org/ [2] SySS Security Advisory SYSS-2020-001 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-001.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Timon Funck of SySS GmbH. E-Mail: timon.funck@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Timon_Funck.asc Key ID: 0x84E70494 Key Fingerprint: 0999 0EDD 0D46 DC05 833E 3545 2C1F 74FD 84E7 0494 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEECZkO3Q1G3AWDPjVFLB90/YTnBJQFAl57GxsACgkQLB90/YTn BJRkKAf/Z1KjmPpmZh37JyMMpBipNqPDq3kP4Yz17jAvD/8OwMtB5xOcLhQQULDW i2HzT3uSLmTpdqxEyQJjLL5+Yz3S1lnk6b4tnxqbmiNqEd32gepdXdYFwbu+KtkT vYXGPtYZETbirYEN7A5lr+t4Vr6lkx/A+8swDF8QNa/zC5JF6aVtmb9mOZIHwCWy jZx38q8tirF/hnQM/0NXpWIDfy8PSwTFTTRtqAzmwt27iCXM6jgr6xhtgNpR9c8Q 9IcQQDcko3OwKi6wn6SdSqQn5AOzE2OPtOWkAbDxXtdpfOPd/ZyLgZCAKUGaPxO7 ZsCseS0mwVGC9EGrcM0/hRoSARaF8w== =USo7 -----END PGP SIGNATURE-----