ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux" <jacques.le.r...@les7arts.com>
Subject Re: OFBiz security issues.
Date Thu, 09 Dec 2010 16:09:20 GMT
Hi Frein,

Please use rather the user ML for such questions. There have been a large effort regarding
security issues, refer to https://issues.apache.org/jira/browse/OFBIZ-1525

  ----- Original Message ----- 
  From: Frein Mccain 
  To: Jacques Le Roux 
  Sent: Thursday, December 09, 2010 2:54 PM
  Subject: Re: OFBiz security issues.


  I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I am facing the same
issue because I am using old code base. 
  In this post you've post the commented that "this issue has been Fixed by recent security
efforts", what does it mean ?

  I tried to search for patch for the fix so that I can make changes in my code...can you
please help on this?

  On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux <jacques.le.roux@les7arts.com> wrote:


    Did you check David's suggestion?


    From: "Frein Mccain" <frein.mccain@gmail.com>

    I am using 9.04 release.

    On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux <
    jacques.le.roux@les7arts.com> wrote:

      Which release.revision have you used?


      From: "Frein Mccain" <frein.mccain@gmail.com>

      I've developed an application on OFBiz and found some security issues
      testing. Here are the list :

      *A. Information Leakage through persistent cookies : The web application
      stores sensitive session information in a permanent cookie (on disk)*
      *Impact of this issue :*
      • This information may be compromised or used for identity theft or user
      • The account information may be stolen and used later by a malicious user.

      I've checked the Set-Cookie header, and found that the session id cookie
      a future expiration date.
      So, my question is that why OFBiz stores sensitive information in
      cookies instead of non-permanent cookie(RAM cookies) only and how to fix
      *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
      Secure attribute for sensitive cookies in HTTPS sessions is not set*
      •  It is possible to move the ability to enforce the cookie logic to the
      client-side (the browser). This could allow an attacker to send cookies
      he/she is
       not authorized to send.

      I've checked the the Set-Cookie header, and found that the "secure"
      attribute is missing.

      Is there any property file where I can set that "secure" attribute for the


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message