Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0012037
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] C. Securitymajoralways2010-01-21 18:162011-11-22 18:31
ReporterefrieseView Statuspublic 
Assigned Toshuehner 
PrioritynormalResolutionduplicateFixed in Version
StatusclosedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget Version
OSLinux 32 bitDatabasePostgreSQLJava version1.6.0_16
OS VersionCommunity ApplianceDatabase version8.3.8Ant version1.7.1
Product Version2.50MP9SCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0012037: Cross-site Scripting in User_Relation.html

DescriptionThe value of inpParamSessionDate is not validated/escaped to prevent malicious data from being executed by the browser.
Steps To ReproduceThe TamperData plugin for Firefox or another proxy will be needed to reproduce. Visit /openbravo/User/User_Relation.html while using TamperData to set the value of inpParamSessionDate to:

inpParamSessionDate=>%22%27><img%20src%3d%22javascript:alert('XSS')%22>

An alert box will display XSS.
Proposed SolutionThe value of inpParamSessionDate should be escaped to prevent code from being executed in the browser. More info can be found at http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 [^]
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
duplicate of design defect 0012034 acknowledgedTriage Platform Base Cross-site Scripting in the generated xxx_Relation.html files 

-  Notes
(0043095)
shuehner (administrator)
2011-11-22 18:31

Consolidating issue based on same source file. Keeping all of them in issue 12034.

- Issue History
Date Modified Username Field Change
2010-01-21 18:16 efriese New Issue
2010-01-21 18:16 efriese Assigned To => alostale
2010-01-25 08:15 alostale Status new => scheduled
2010-01-25 08:15 alostale Assigned To alostale => shuehner
2011-11-22 18:31 shuehner Relationship added duplicate of 0012034
2011-11-22 18:31 shuehner Note Added: 0043095
2011-11-22 18:31 shuehner Status scheduled => closed
2011-11-22 18:31 shuehner Resolution open => duplicate


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker