ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frein Mccain <frein.mcc...@gmail.com>
Subject OFBiz security issues.
Date Mon, 06 Dec 2010 16:41:51 GMT
I've developed an application on OFBiz and found some security issues during
testing. Here are the list :

*A. Information Leakage through persistent cookies : The web application
stores sensitive session information in a permanent cookie (on disk)*
**
*Impact of this issue :*
**
• This information may be compromised or used for identity theft or user
impersonation.
• The account information may be stolen and used later by a malicious user.

I've checked the Set-Cookie header, and found that the session id cookie has
a future expiration date.
So, my question is that why OFBiz stores sensitive information in persistent
cookies instead of non-permanent cookie(RAM cookies) only and how to fix it.
**
*B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
Secure attribute for sensitive cookies in HTTPS sessions is not set*
**
*Impact:*
**
•  It is possible to move the ability to enforce the cookie logic to the
client-side (the browser). This could allow an attacker to send cookies
he/she is
   not authorized to send.

I've checked the the Set-Cookie header, and found that the "secure"
attribute is missing.

Is there any property file where I can set that "secure" attribute for the
cookie.


Cheers,
Frein

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message