Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0012032
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] C. Securitymajoralways2010-01-21 17:552011-11-22 18:31
ReporterefrieseView Statuspublic 
Assigned Toshuehner 
PrioritynormalResolutionduplicateFixed in Version
StatusclosedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget Version
OSLinux 32 bitDatabasePostgreSQLJava version1.6.0_16
OS VersionCommunity ApplianceDatabase version8.3.8Ant version1.7.1
Product Version2.50MP9SCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0012032: Cross-site Scripting in Form_Relation.html

DescriptionThe value for inpParamSessionDate is not validated/escaped to prevent malicious code from being executed in the browser.
Steps To ReproduceThe TamperData plugin for Firefox or another type of proxy will be needed to reproduce. Visit /openbravo/Form/Form_Relation.html and use TamperData to change the value of inpParamSessionDate to:

inpParamSessionDate=>%22%27><img%20src%3d%22javascript:alert('XSS')%22>

An alert box will display XSS.
Proposed SolutionThe value of inpParamSessionDat should be escaped to prevent code from being executed in the browser. More info can be found at http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^]
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
duplicate of design defect 0012034 acknowledgedTriage Platform Base Cross-site Scripting in the generated xxx_Relation.html files 

-  Notes
(0043096)
shuehner (administrator)
2011-11-22 18:31

Consolidating issue based on same source file. Keeping all of them in issue 12034.

- Issue History
Date Modified Username Field Change
2010-01-21 17:55 efriese New Issue
2010-01-21 17:55 efriese Assigned To => alostale
2010-01-25 08:15 alostale Status new => scheduled
2010-01-25 08:15 alostale Assigned To alostale => shuehner
2011-11-22 18:31 shuehner Relationship added duplicate of 0012034
2011-11-22 18:31 shuehner Note Added: 0043096
2011-11-22 18:31 shuehner Status scheduled => closed
2011-11-22 18:31 shuehner Resolution open => duplicate


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker