ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux" <jacques.le.r...@les7arts.com>
Subject Fw: Calling service remotely - security concern
Date Thu, 01 Jul 2010 09:30:20 GMT
Forwarded, not sure why it'sd needed... Looks like OE-QuoteFix is the culprit...

Jacques

----- Original Message ----- 
From: "Jacques Le Roux" <jacques.le.roux@les7arts.com>
To: <user@ofbiz.apache.org>
Sent: Thursday, July 01, 2010 10:35 AM
Subject: Re: Calling service remotely - security concern


> Indeed, looks like a real security concern. I did not look on how to retrieve another
user's UserLogin though. If this is possible 
> then it's a real concern!
>
> Jacques
>
> Scott Gray wrote:
>> I think Muhammed's point is that once a user has authenticated using their own username/password,
it is possible that they could
>> retrieve another user's UserLogin record and then use it to execute services without
needing to know that user's password.
>>
>> Regards
>> Scott
>>
>> HotWax Media
>> http://www.hotwaxmedia.com
>>
>> On 1/07/2010, at 7:58 PM, Jacques Le Roux wrote:
>>
>>> In your example you needed 1st to know the login/pwd couple. So I can't see the
problem here.
>>>
>>> Jacques
>>>
>>> From: "Muhammed Aamir" <mail@aamir.pk>
>>>>>> All service where auth="true" take at least three  IN (or INOUT)
parameters
>>>>>> by deffault 1) login.username 2) login.password and 3) loginUser.
>>>>>> No. 1 and 2 definitely make sense. However 3 might be a security
threat (or
>>>>>> my understanding is wrong). Any user (calling service remotely) can
pass
>>>>>> loginUser GV (which he some how got hold of, may be by invoking getRelated
>>>>>> sort of method on some other GV) which might not belong to her.
>>>
>>> Sent from my iPhone
>>>
>>> On Jul 1, 2010, at 1:42, David E Jones <dejc@me.com> wrote:
>>>
>>>>>>> All service where auth="true" take at least three  IN (or INOUT)
parameters
>>>>>>> by deffault 1) login.username 2) login.password and 3) loginUser.
>>>>>>> No. 1 and 2 definitely make sense. However 3 might be a security
threat (or
>>>>>>> my understanding is wrong). Any user (calling service remotely)
can pass
>>>>>>> loginUser GV (which he some how got hold of, may be by invoking
getRelated
>>>>>>> sort of method on some other GV) which might not belong to her.
> 



Mime
View raw message