From notifications-return-26980-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org Sun Jun 16 14:58:02 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 09240180780 for ; Sun, 16 Jun 2019 16:58:01 +0200 (CEST) Received: (qmail 88759 invoked by uid 500); 16 Jun 2019 14:58:01 -0000 Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ofbiz.apache.org Delivered-To: mailing list notifications@ofbiz.apache.org Received: (qmail 88737 invoked by uid 99); 16 Jun 2019 14:58:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 16 Jun 2019 14:58:01 +0000 Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 6240FE02E3 for ; Sun, 16 Jun 2019 14:58:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 1D6E32462F for ; Sun, 16 Jun 2019 14:58:00 +0000 (UTC) Date: Sun, 16 Jun 2019 14:58:00 +0000 (UTC) From: "Aditya Sharma (JIRA)" To: notifications@ofbiz.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OFBIZ-10678?page=3Dcom.atlassia= n.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D168= 65033#comment-16865033 ]=20 Aditya Sharma edited comment on OFBIZ-10678 at 6/16/19 2:57 PM: ---------------------------------------------------------------- Here is a patch with jQuery 3.4.1 replacing jQuery 1.11.0. Here are the inf= erences based on following verifications: Validations Verify: [https://localhost:8443/catalog/control/CreateProductFeature] [https://localhost:8443/catalog/control/EditProduct] Query Timepicker [https://localhost:8443/ordermgr/control/ListQuoteRoles?qu= oteId=3DCQ0001] jGrowl Success and Error Messages on all the pages =C2=A0 jsTree [https://localhost:8443/humanres/control/main] =C2=A0 Readmore [https://localhost:8443/ordermgr/control/returnMain?returnId=3D100= 07] jQuery UI Used throughout OFBiz Elrte Steps: 1. Go to Content component ([https://localhost:8443/content/control/main] )= . 2. Click on Forum from submenu ([https://localhost:8443/content/control/fin= dForumGroups] ). 3. Click on forums link under Select column ([https://localhost:8443/conten= t/control/findForums?forumGroupId=3DWebStoreFORUM] ) 4. Click on messages link under Select column ([https://localhost:8443/cont= ent/control/findForumMessages?forumGroupId=3DWebStoreFORUM&forumId=3DASK] ) Asm Select [https://localhost:8443/example/control/FormWidgetExamples] (Mul= tiple drop-downs) Jquery hotkeys [https://localhost:8443/webpos/control/main] Jeditable [https://localhost:8443/example/control/authview/findExampleAjax]= (Name field is click and edit) Jquery Mask [https://localhost:8443/example/control/FormWidgetExamples] (Da= tetimepicker Field) Jquery flot [https://localhost:8443/example/control/ExampleBarChart] Fancybox Verify: [https://localhost:8443/example/control/ListVisualThemes] Click on image Fancybox TypeError: j.get(...).style.removeAttribute is not a function =C2=A0 =C2=A0 All the plugins are working fine except the Fancybox. We have to replace it= with some alternative. Fancybox is now available at Fancyapps under the GP= Lv3 license for all open source applications. A commercial license is requi= red for all commercial applications (including sites, themes and apps you p= lan to sell). I have found a alternative=C2=A0Lightbox for it.=20 [http://fancybox.net/] [http://fancyapps.com/fancybox/3/#license] Alternative: Lightbox under MIT license (Though I am still looking at some other options= )[http://ashleydw.github.io/lightbox/]=20 =C2=A0 was (Author: aditya.sharma): Here is a patch with jQuery 3.4.1 replacing jQuery 1.11.0. Here are the inf= erences based on following verifications: Validations Verify: [https://localhost:8443/catalog/control/CreateProductFeature] [https://localhost:8443/catalog/control/EditProduct] Query Timepicker [https://localhost:8443/ordermgr/control/ListQuoteRoles?qu= oteId=3DCQ0001] jGrowl Success and Error Messages on all the pages =C2=A0 jsTree [https://localhost:8443/humanres/control/main] =C2=A0 Readmore [https://localhost:8443/ordermgr/control/returnMain?returnId=3D100= 07] jQuery UI Used throughout OFBiz Elrte Steps: 1. Go to Content component ([https://localhost:8443/content/control/main] )= . 2. Click on Forum from submenu ([https://localhost:8443/content/control/fin= dForumGroups] ). 3. Click on forums link under Select column ([https://localhost:8443/conten= t/control/findForums?forumGroupId=3DWebStoreFORUM] ) 4. Click on messages link under Select column ([https://localhost:8443/cont= ent/control/findForumMessages?forumGroupId=3DWebStoreFORUM&forumId=3DASK] ) Asm Select [https://localhost:8443/example/control/FormWidgetExamples] (Mul= tiple drop-downs) Jquery hotkeys [https://localhost:8443/webpos/control/main] Jeditable [https://localhost:8443/example/control/authview/findExampleAjax]= (Name field is click and edit) Jquery Mask [https://localhost:8443/example/control/FormWidgetExamples] (Da= tetimepicker Field) Jquery flot [https://localhost:8443/example/control/ExampleBarChart] Fancybox Verify: [https://localhost:8443/example/control/ListVisualThemes] Click on image Fancybox TypeError: j.get(...).style.removeAttribute is not a function =C2=A0 =C2=A0 All the plugins are working fine except the Fancybox. We have to replace it= with some alternative. Fancybox is now available at Fancyapps under the GP= Lv3 license for all open source applications. A commercial license is requi= red for all commercial applications (including sites, themes and apps you p= lan to sell). I have found a alternative=C2=A0Lightcase for it.=20 [http://fancybox.net/] [http://fancyapps.com/fancybox/3/#license] Alternative: Lightbox under MIT license (Though I am still looking at some other options= )[http://ashleydw.github.io/lightbox/]=20 =C2=A0 > CLONE - Check embedded Javascript libs vulnerabilities using retire.js > ---------------------------------------------------------------------- > > Key: OFBIZ-10678 > URL: https://issues.apache.org/jira/browse/OFBIZ-10678 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS > Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12, R= elease Branch 18.12 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Blocker > Labels: Javascript, retire.js, vulnerabilities > Attachments: OFBIZ-10678.patch > > > 3 years ago I created the page https://cwiki.apache.org/confluence/displa= y/OFBIZ/About+retire.js > After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and= here are the results: > h3. Trunk > {code} > C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bund= le.min.js > ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; is= sue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-201= 8-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; i= ssue: 20184, s > ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https= ://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, s= ummary: XSS in data-container property of tooltip, CVE: CVE-2018-14042; htt= ps://github.co > m/twbs/bootstrap/issues/20184 > C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.= js > ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20= 184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041= ; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 2= 0184, summary: > XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://gith= ub.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary:= XSS in data-container property of tooltip, CVE: CVE-2018-14042; https://gi= thub.com/twbs/ > bootstrap/issues/20184 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js > ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-201= 2-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jque= ry.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://r= esearch.insecu > relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party= CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jq= uery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-rele= ased/ https:// > nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/j= query/test/ > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: = The attribute usemap can be used as a security exploit; https://github.com/= angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016= -07-21 severit > y: medium; summary: Universal CSP bypass via add-on in Firefox; https://g= ithub.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://p= astebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; https= ://github.com/ > angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS i= n $sanitize in Safari/Firefox; https://github.com/angular/angular.js/commit= /8f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: = The attribute usemap can be used as a security exploit; https://github.com/= angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016= -07-21 severit > y: medium; summary: Universal CSP bypass via add-on in Firefox; https://g= ithub.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://p= astebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; https= ://github.com/ > angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS i= n $sanitize in Safari/Firefox; https://github.com/angular/angular.js/commit= /8f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js > ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2= 432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https= ://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/j= query-2-2-and- > 1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://rese= arch.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, is= sue: 11974, summary: parseHTML() executes scripts in event handlers; https:= //bugs.jquery. > com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://re= search.insecurelabs.org/jquery/test/ > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.min.js > ? jquery 1.7.2.min has known vulnerabilities: severity: medium; CVE: CVE= -2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.= jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http= ://research.in > securelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd p= arty CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquer= y/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-= released/ http > s://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.o= rg/jquery/test/ > {code} > h3. R17 > {code} > C:\projectsASF\release17.12\plugins\ecommerce\webapp\ecommerce\js\bootstr= ap.bundle.min.js > ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; is= sue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-201= 8-14041; https://github.com/twbs/bootstrap/issues/20184 seve > rity: medium; issue: 20184, summary: XSS in collapse data-parent attribut= e, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 seve= rity: medium; issue: 20184, summary: XSS in data-container p > roperty of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstra= p/issues/20184 > C:\projectsASF\release17.12\plugins\ecommerce\webapp\ecommerce\js\bootstr= ap.min.js > ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20= 184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041= ; https://github.com/twbs/bootstrap/issues/20184 severity: m > edium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE:= CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: m= edium; issue: 20184, summary: XSS in data-container property > of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issue= s/20184 > C:\projectsASF\release17.12\plugins\solr\webapp\solr\js\require.js > ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-201= 2-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jque= ry.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201 > 2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; is= sue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;= https://github.com/jquery/jquery/issues/2432 http://blog.jq > uery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vu= ln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\angular.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: = The attribute usemap can be used as a security exploit; https://github.com/= angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re > surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via= add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#is= suecomment-282083435 http://pastebin.com/raw/kGrdaypP severi > ty: medium; summary: DOS in $sanitize; https://github.com/angular/angular= .js/blob/master/CHANGELOG.md severity: low; summary: XSS in $sanitize in Sa= fari/Firefox; https://github.com/angular/angular.js/commit/8 > f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\angular.min.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: = The attribute usemap can be used as a security exploit; https://github.com/= angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re > surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via= add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#is= suecomment-282083435 http://pastebin.com/raw/kGrdaypP severi > ty: medium; summary: DOS in $sanitize; https://github.com/angular/angular= .js/blob/master/CHANGELOG.md severity: low; summary: XSS in $sanitize in Sa= fari/Firefox; https://github.com/angular/angular.js/commit/8 > f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\release17.12\plugins\solr\webapp\solr\libs\jquery-2.1.3.mi= n.js > ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2= 432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https= ://github.com/jquery/jquery/issues/2432 http://blog.jquery.c > om/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/det= ail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: m= edium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML( > ) executes scripts in event handlers; https://bugs.jquery.com/ticket/1197= 4 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurela= bs.org/jquery/test/ > C:\projectsASF\release17.12\plugins\solr\webapp\solr\js\lib\jquery-1.7.2.= min.js > ? jquery 1.7.2.min has known vulnerabilities: severity: medium; CVE: CVE= -2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.= jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE > -2012-6708 http://research.insecurelabs.org/jquery/test/ severity: medium= ; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9= 251; https://github.com/jquery/jquery/issues/2432 http://blo > g.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.go= v/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ > {code} > h3. R16 > {code} > ? jquery 1.11.0 has known vulnerabilities: severity: medium; issue: 2432= , summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://= github.com/jquery/jquery/issues/2432 http://blog.jquery.com/ > 2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail= /CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medi= um; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() e > xecutes scripts in event handlers; https://bugs.jquery.com/ticket/11974 h= ttps://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.= org/jquery/test/ > C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-= 1.11.0.min.js > ? jquery 1.11.0.min has known vulnerabilities: severity: medium; issue: = 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; http= s://github.com/jquery/jquery/issues/2432 http://blog.jquery. > com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/de= tail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: = medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML > () executes scripts in event handlers; https://bugs.jquery.com/ticket/119= 74 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurel= abs.org/jquery/test/ > C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery-= migrate-1.2.1.js > ? jquery-migrate 1.2.1 has known vulnerabilities: severity: medium; bug:= 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticke= t/11290 http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\release16.11\specialpurpose\solr\webapp\solr\js\require.js > ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-201= 2-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jque= ry.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201 > 2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; is= sue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;= https://github.com/jquery/jquery/issues/2432 http://blog.jq > uery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vu= ln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery.= mobile\jquery.mobile-1.4.0.min.js > ? jquery-mobile 1.4.0.min has known vulnerabilities: severity: medium; s= ummary: open redirect leads to cross site scripting; http://sirdarckcat.blo= gspot.no/2017/02/unpatched-0day-jquery-mobile-xss.html > C:\projectsASF\release16.11\framework\images\webapp\images\jquery\jquery.= mobile\jquery.mobile-1.4.0.js > ? jquery-mobile 1.4.0 has known vulnerabilities: severity: medium; summa= ry: open redirect leads to cross site scripting; http://sirdarckcat.blogspo= t.no/2017/02/unpatched-0day-jquery-mobile-xss.html > {code} > So it's time to update again the Javascript embedded libs. I'll check wha= t I have been done with OFBIZ-9269 before... -- This message was sent by Atlassian JIRA (v7.6.3#76005)