ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anil Soni <Anil.S...@lntinfotech.com>
Subject RE: OFBiz security issues.
Date Thu, 16 Dec 2010 06:59:01 GMT
Frein,

Refer this link http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php
for cross site scripting solution.



-----Original Message-----
From: Frein Mccain [mailto:frein.mccain@gmail.com]
Sent: Monday, December 13, 2010 7:14 PM
To: user@ofbiz.apache.org
Subject: Re: OFBiz security issues.

My system is up and running with old code base of OFBiz and I am facing
Cross-Site-Scripting security issue. I've referred the issue
https://issues.apache.org/jira/browse/OFBIZ-1525 but not able to get the fix
for the issue.

Can anybody tell is this issue fixed in latest code, if yes than can you
share some patch or commit version so that I can make changes in my code to
fix fit.

@ David : I've checked the browser cookie and found that the session id
cookie has a future expiration date and there is no secure attribute.

And I am using embedded Tomcat server only. Do you have any idea about
cookie setting ?



On Thu, Dec 9, 2010 at 9:39 PM, Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:

>  Hi Frein,
>
> Please use rather the user ML for such questions. There have been a large
> effort regarding security issues, refer to
> https://issues.apache.org/jira/browse/OFBIZ-1525
>
> Jacques
>
> ----- Original Message -----
> *From:* Frein Mccain <frein.mccain@gmail.com>
> *To:* Jacques Le Roux <jacques.le.roux@les7arts.com>
> *Sent:* Thursday, December 09, 2010 2:54 PM
> *Subject:* Re: OFBiz security issues.
>
> Jacques,
>
> I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I am
> facing the same issue because I am using old code base.
> In this post you've post the commented that "this issue has been Fixed by
> recent security efforts", what does it mean ?
>
> I tried to search for patch for the fix so that I can make changes in my
> code...can you please help on this?
>
> On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux <
> jacques.le.roux@les7arts.com> wrote:
>
>> Frein,
>>
>> Did you check David's suggestion?
>>
>>
>> Jacques
>>
>> From: "Frein Mccain" <frein.mccain@gmail.com>
>> Jacques,
>>
>> I am using 9.04 release.
>>
>> On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux <
>> jacques.le.roux@les7arts.com> wrote:
>>
>> Which release.revision have you used?
>>>
>>> Jacques
>>>
>>> From: "Frein Mccain" <frein.mccain@gmail.com>
>>>
>>> I've developed an application on OFBiz and found some security issues
>>> during
>>> testing. Here are the list :
>>>
>>> *A. Information Leakage through persistent cookies : The web application
>>> stores sensitive session information in a permanent cookie (on disk)*
>>> **
>>> *Impact of this issue :*
>>> **
>>> * This information may be compromised or used for identity theft or user
>>> impersonation.
>>> * The account information may be stolen and used later by a malicious
>>> user.
>>>
>>> I've checked the Set-Cookie header, and found that the session id cookie
>>> has
>>> a future expiration date.
>>> So, my question is that why OFBiz stores sensitive information in
>>> persistent
>>> cookies instead of non-permanent cookie(RAM cookies) only and how to fix
>>> it.
>>> **
>>> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
>>> Secure attribute for sensitive cookies in HTTPS sessions is not set*
>>> **
>>> *Impact:*
>>> **
>>> *  It is possible to move the ability to enforce the cookie logic to the
>>> client-side (the browser). This could allow an attacker to send cookies
>>> he/she is
>>>  not authorized to send.
>>>
>>> I've checked the the Set-Cookie header, and found that the "secure"
>>> attribute is missing.
>>>
>>> Is there any property file where I can set that "secure" attribute for
>>> the
>>> cookie.
>>>
>>>
>>> Cheers,
>>> Frein
>>>
>>>
>>>
>>>
>>
>>
>

______________________________________________________________________

The contents of this e-mail and any attachment(s) may contain confidential or privileged information
for the intended recipient(s). Unintended recipients are prohibited from taking action on
the basis of information in this e-mail and  using or disseminating the information,  and
must notify the sender and delete it from their system. L&T Infotech will not accept responsibility
or liability for the accuracy or completeness of, or the presence of any virus or disabling
code in this e-mail"

______________________________________________________________________

Mime
View raw message