[VulnWatch] XSS vulnerability in OFBIZ forum

[Ēriks <eriks00@moon.lv>]

Open source ERP and e-commerce package OFBIZ has an XSS vulnerability in
the forum functionality. This was initially posted on Ofbiz JIRA issue
tracking system (https://issues.apache.org/jira/browse/OFBIZ-178) on
22/Aug/06.

I last verified it in revision 469895 (1/Nov/06), and it was still
present. As far as I know (and from activity on JIRA) nothing has changed.

Repeating the vulnerability is straight forward:
1) Install OFBIZ;
2) Disable JavaScript in browser;
3) Log in and browse to forum (with default install you will see Browse
Forums/Gizmos on the left side);
4) Post a message like <script>alert('XSS vulnerability test');</script>
5) Enable JavaScript;

So if you are a customer going to some vendor's OFBIZ site, don't go to
Forums section as you might be affected (if your JavaScript is enabled).
If you are using OFBIZ for your e-commerce site, disable all forum
functionality until the vulnerability is fixed.

Ēriks Dobelis
http://www.biti.lv/