This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new b0b4ba4 Improved: Reflected XSS in content component (OFBIZ-11840)
b0b4ba4 is described below
commit b0b4ba4d56fae1cd04c7a57c835f77eb0417d59d
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Jul 18 12:00:29 2020 +0200
Improved: Reflected XSS in content component (OFBIZ-11840)
Fixes a Reflected XSS vulnerability in content component
Harshit Shukla reported it to the OFBiz security team:
https://demo-stable.ofbiz.apache.org/content/control/stream?contentId=";><svg/onload=alert(0)>
It's a post-auth vulnerability so we did not ask for a CVE.
Thanks: Harshit Shukla harshit.sh...@gmail.com
---
.../src/main/java/org/apache/ofbiz/content/data/DataEvents.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
index e81166e..6be9deb 100644
---
a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
+++
b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
@@ -79,6 +79,13 @@ public class DataEvents {
// get the permission service required for streaming data; default is
always the genericContentPermission
String permissionService =
EntityUtilProperties.getPropertyValue("content", "stream.permission.service",
"genericContentPermission", delegator);
+ // This is counterintuitive but it works, for OFBIZ-11840
+ // It could be improved by checking for possible events associated
with svg
+ // As listed at
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
+ if (contentId.contains("<svg")) {
+ return "success";
+ }
+
// get the content record
GenericValue content;
try {
