ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aditya Sharma (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
Date Sun, 16 Jun 2019 14:58:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16865033#comment-16865033
] 

Aditya Sharma edited comment on OFBIZ-10678 at 6/16/19 2:57 PM:
----------------------------------------------------------------

Here is a patch with jQuery 3.4.1 replacing jQuery 1.11.0. Here are the inferences based on
following verifications:

Validations

Verify:
 [https://localhost:8443/catalog/control/CreateProductFeature]
 [https://localhost:8443/catalog/control/EditProduct]
Query Timepicker [https://localhost:8443/ordermgr/control/ListQuoteRoles?quoteId=CQ0001]
jGrowl Success and Error Messages on all the pages
 
jsTree [https://localhost:8443/humanres/control/main]
 
Readmore [https://localhost:8443/ordermgr/control/returnMain?returnId=10007]
jQuery UI Used throughout OFBiz
Elrte
Steps:
1. Go to Content component ([https://localhost:8443/content/control/main] ).
2. Click on Forum from submenu ([https://localhost:8443/content/control/findForumGroups] ).
3. Click on forums link under Select column ([https://localhost:8443/content/control/findForums?forumGroupId=WebStoreFORUM]
)
4. Click on messages link under Select column ([https://localhost:8443/content/control/findForumMessages?forumGroupId=WebStoreFORUM&forumId=ASK]
)
Asm Select [https://localhost:8443/example/control/FormWidgetExamples] (Multiple drop-downs)
Jquery hotkeys [https://localhost:8443/webpos/control/main]
Jeditable [https://localhost:8443/example/control/authview/findExampleAjax] (Name field is
click and edit)
Jquery Mask [https://localhost:8443/example/control/FormWidgetExamples] (Datetimepicker Field)
Jquery flot [https://localhost:8443/example/control/ExampleBarChart]
Fancybox

Verify:
 [https://localhost:8443/example/control/ListVisualThemes] Click on image
Fancybox TypeError: j.get(...).style.removeAttribute is not a function
 
 
All the plugins are working fine except the Fancybox. We have to replace it with some alternative.
Fancybox is now available at Fancyapps under the GPLv3 license for all open source applications.
A commercial license is required for all commercial applications (including sites, themes
and apps you plan to sell). I have found a alternative Lightbox for it. 
 [http://fancybox.net/]
 [http://fancyapps.com/fancybox/3/#license]
Alternative:
Lightbox under MIT license (Though I am still looking at some other options)[http://ashleydw.github.io/lightbox/]

 


was (Author: aditya.sharma):
Here is a patch with jQuery 3.4.1 replacing jQuery 1.11.0. Here are the inferences based on
following verifications:

Validations

Verify:
 [https://localhost:8443/catalog/control/CreateProductFeature]
 [https://localhost:8443/catalog/control/EditProduct]
Query Timepicker [https://localhost:8443/ordermgr/control/ListQuoteRoles?quoteId=CQ0001]
jGrowl Success and Error Messages on all the pages
 
jsTree [https://localhost:8443/humanres/control/main]
 
Readmore [https://localhost:8443/ordermgr/control/returnMain?returnId=10007]
jQuery UI Used throughout OFBiz
Elrte
Steps:
1. Go to Content component ([https://localhost:8443/content/control/main] ).
2. Click on Forum from submenu ([https://localhost:8443/content/control/findForumGroups] ).
3. Click on forums link under Select column ([https://localhost:8443/content/control/findForums?forumGroupId=WebStoreFORUM]
)
4. Click on messages link under Select column ([https://localhost:8443/content/control/findForumMessages?forumGroupId=WebStoreFORUM&forumId=ASK]
)
Asm Select [https://localhost:8443/example/control/FormWidgetExamples] (Multiple drop-downs)
Jquery hotkeys [https://localhost:8443/webpos/control/main]
Jeditable [https://localhost:8443/example/control/authview/findExampleAjax] (Name field is
click and edit)
Jquery Mask [https://localhost:8443/example/control/FormWidgetExamples] (Datetimepicker Field)
Jquery flot [https://localhost:8443/example/control/ExampleBarChart]
Fancybox

Verify:
[https://localhost:8443/example/control/ListVisualThemes] Click on image
Fancybox TypeError: j.get(...).style.removeAttribute is not a function
 
 
All the plugins are working fine except the Fancybox. We have to replace it with some alternative.
Fancybox is now available at Fancyapps under the GPLv3 license for all open source applications.
A commercial license is required for all commercial applications (including sites, themes
and apps you plan to sell). I have found a alternative Lightcase for it. 
[http://fancybox.net/]
[http://fancyapps.com/fancybox/3/#license]
Alternative:
Lightbox under MIT license (Though I am still looking at some other options)[http://ashleydw.github.io/lightbox/]

 

> CLONE - Check embedded Javascript libs vulnerabilities using retire.js
> ----------------------------------------------------------------------
>
>                 Key: OFBIZ-10678
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10678
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12, Release Branch
18.12
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Blocker
>              Labels: Javascript, retire.js, vulnerabilities
>         Attachments: OFBIZ-10678.patch
>
>
> 3 years ago I created the page https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js
> After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and here are the
results:
> h3. Trunk
> {code}
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js
>  ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue: 20184,
summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184
severity: medium; issue: 20184, s
> ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184
severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042;
https://github.co
> m/twbs/bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js
>  ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184, summary:
XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184
severity: medium; issue: 20184, summary:
>  XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184
severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042;
https://github.com/twbs/
> bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js
>  ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug:
11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708
http://research.insecu
> relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request
may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
https://
> nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js
>  ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute
usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in $sanitize
in Safari/Firefox; https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js
>  ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute
usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in $sanitize
in Safari/Firefox; https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
>  ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, summary:
3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-
> 1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts
in event handlers; https://bugs.jquery.
> com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js
>  ? jquery 1.7.2.min has known vulnerabilities: severity: medium; CVE: CVE-2012-6708,
bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708
http://research.in
> securelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request
may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
http
> s://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/
> {code}
> h3. R17
> {code}
> C:\projectsASF\release17.12\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js
>  ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue: 20184,
summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184
seve
> rity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS
in data-container p
> roperty of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184
> C:\projectsASF\release17.12\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js
>  ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184, summary:
XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184
severity: m
> edium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS
in data-container property
>  of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\js\require.js
>  ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug:
11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201
> 2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary:
3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jq
> uery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\angular.js
>  ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute
usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re
> surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via add-on in Firefox;
https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP
severi
> ty: medium; summary: DOS in $sanitize; https://github.com/angular/angular.js/blob/master/CHANGELOG.md
severity: low; summary: XSS in $sanitize in Safari/Firefox; https://github.com/angular/angular.js/commit/8
> f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\angular.min.js
>  ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute
usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re
> surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via add-on in Firefox;
https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP
severi
> ty: medium; summary: DOS in $sanitize; https://github.com/angular/angular.js/blob/master/CHANGELOG.md
severity: low; summary: XSS in $sanitize in Safari/Firefox; https://github.com/angular/angular.js/commit/8
> f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
>  ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, summary:
3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.c
> om/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML(
> ) executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release17.12\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js
>  ? jquery 1.7.2.min has known vulnerabilities: severity: medium; CVE: CVE-2012-6708,
bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE
> -2012-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432,
summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blo
> g.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
> {code}
> h3. R16
> {code}
>  ? jquery 1.11.0 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd
party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/
> 2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML() e
> xecutes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-1.11.0.min.js
>  ? jquery 1.11.0.min has known vulnerabilities: severity: medium; issue: 2432, summary:
3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jquery.
> com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue:
11974, summary: parseHTML
> () executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-migrate-1.2.1.js
>  ? jquery-migrate 1.2.1 has known vulnerabilities: severity: medium; bug: 11290, summary:
Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release16.11\specialpurpose\solr\webapp\solr\js\require.js
>  ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug:
11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201
> 2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary:
3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432
http://blog.jq
> uery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.min.js
>  ? jquery-mobile 1.4.0.min has known vulnerabilities: severity: medium; summary: open
redirect leads to cross site scripting; http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
> C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery.mobile\jquery.mobile-1.4.0.js
>  ? jquery-mobile 1.4.0 has known vulnerabilities: severity: medium; summary: open redirect
leads to cross site scripting; http://sirdarckcat.blogspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html
> {code}
> So it's time to update again the Javascript embedded libs. I'll check what I have been
done with OFBIZ-9269  before...



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message