Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0012034Openbravo ERPC. Securitypublic2010-01-21 18:042022-02-01 08:08
Reporterefriese 
Assigned ToTriage Platform Base 
PriorityhighSeveritymajorReproducibilityalways
StatusacknowledgedResolutionopen 
PlatformOS20OS VersionCommunity Appliance
Product Version 
Target VersionFixed in Version 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0012034: Cross-site Scripting in the generated xxx_Relation.html files
DescriptionThe value of inpParamSessionDate is not validated/escaped to prevent malicious code from being executed in the browser.

The same field is present in all the various xxx_Relation.html files as they are generated at compile time based on a common-template.

Example URL's where the issue can be reproduced:
/openbravo/Message/Message_Relation.html
/openbravo/Reference/Reference_Relation.html
/openbravo/SystemInfo/SystemInfo_Relation.html
/openbravo/User/User_Relation.html
/openbravo/Form/Form_Relation.html
Steps To ReproduceThe TamperData plugin for Firefox or another proxy will be needed to reproduce. Visit i.e. /openbravo/Message/Message_Relation.html while using TamperData to set inpParamSessionDate to:

inpParamSessionDate=>%22%27><img%20src%3d%22javascript:alert('XSS')%22>
Proposed SolutionThe value of inpParamSessionDate should be escaped so that code cannot be executed in the browser. More info can be found at http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^]
Additional Information
TagsNo tags attached.
Relationships
has duplicate defect 0012035 closed shuehner Cross-site Scripting in Reference_Relation.html 
has duplicate defect 0012036 closed shuehner Cross-site Scripting in SystemInfo_Relation.html 
has duplicate defect 0012037 closed shuehner Cross-site Scripting in User_Relation.html 
has duplicate defect 0012032 closed shuehner Cross-site Scripting in Form_Relation.html 
blocks design defect 0019842 acknowledged Triage Platform Base Review Cross-site Scripting 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2010-01-21 18:04efrieseNew Issue
2010-01-21 18:04efrieseAssigned To => alostale
2010-01-25 08:15alostaleStatusnew => scheduled
2010-01-25 08:15alostaleAssigned Toalostale => shuehner
2011-11-22 18:29shuehnerNote Added: 0043092
2011-11-22 18:29shuehnerSummaryCross-site Scripting in Message_Relation.html => Cross-site Scripting in the generated xxx_Relation.html files
2011-11-22 18:29shuehnerDescription Updatedbug_revision_view_page.php?rev_id=2930#r2930
2011-11-22 18:29shuehnerSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=2932#r2932
2011-11-22 18:30shuehnerRelationship addedhas duplicate 0012035
2011-11-22 18:31shuehnerRelationship addedhas duplicate 0012036
2011-11-22 18:31shuehnerRelationship addedhas duplicate 0012037
2011-11-22 18:31shuehnerRelationship addedhas duplicate 0012032
2012-02-20 11:11shuehnerAssigned Toshuehner => alostale
2012-02-22 15:52alostaleRelationship addedblocks 0019842
2012-02-22 15:54alostaleTypedefect => design defect
2012-09-24 23:39AugustoMauchNote Added: 0052510
2012-09-24 23:39AugustoMauchPrioritynormal => high
2017-03-31 14:36alostaleStatusscheduled => acknowledged
2017-04-10 14:35alostaleAssigned Toalostale => platform
2022-02-01 08:08alostaleAssigned Toplatform => Triage Platform Base

Notes
(0043092)
shuehner   
2011-11-22 18:29   
Consolidating similar bug-reports into a single one if the source of them is identical (i.e. autogeneratd xx_Relation.html files generated from wad)
(0052510)
AugustoMauch   
2012-09-24 23:39   
Effort: 1
Impact: low
Plan: short