ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David E Jones <d...@me.com>
Subject Re: Calling service remotely - security concern
Date Sat, 03 Jul 2010 01:19:02 GMT

On Jul 1, 2010, at 7:48 PM, Scott Gray wrote:

> On 2/07/2010, at 1:19 PM, Muhammad Aamir wrote:
> 
>> Many records have a related userLogin record. For example createdBy field
>> can return the userLogin who created the record which might not be the same
>> as the logged in user. (I know you cannot execute getRelated etc. method
>> remotely but one can create facade etc as a work around).
> 
> This isn't a security issue unless a service exposes another user's UserLogin record,
userLoginId is not enough.  This doesn't happen OOTB as far as I can tell, so for this to
be a security issue someone would have to write a custom service to expose it.

Keep in mind that such a service would (or should...) be an obvious security hole. The UserLogin
entity includes both the username and password, and even though the password is encrypted
that is still a vulnerability.

-David


Mime
View raw message