ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Brohl <michael.br...@ecomify.de>
Subject Re: How to resolve CSRF attack
Date Mon, 16 Apr 2018 09:22:51 GMT
Hi Sonali,

this is not a vulnerability.

You are logged in and posting a request from the same browser with the 
same session. There is no chance for OFBiz to make a distiction between 
a request initiated from an OFBiz generated page or any other page (like 
your webmail) from the same browser/session.

Regards,

Michael


Am 16.04.18 um 06:08 schrieb Sonali Agrahari:
> Hello all,
>
>    I am using OFBiz 12.04 version in my application.
>    When logged in to the application as admin user and open web mail in
> another browser , suppose we received a mail  which have link
> http://xyz.com/activate.html .
> The links points to html file as :
>
> <html>
>   <head>
>    
> </head>
> <body>
>    <form action =
> "https://localhost:8443/catalog/control/CreateProductCategory" name = "f1"
> id = "f1" method = "post">
>       <input type = "hidden" name = "sectorName" id = "sectorName" value =
> "SECTOR" >
>        <input type = "hidden" name = "productName" id = "productName" value =
> "PRODUCT" >
>    </form>
>
> </body>
> </html>
>
> The user clicks on this link while he has logged on to the application. As
> the crafted form is doing a post request in a valid session, the requested
> post gets executed and result will be displayed i.e. all values will be
> inserted in database properly.
> And the link gets opened in other tab of same browser.
>
> How can resolve this type of vulnerability.
> Kindly help.
>
>
> Thanks & regards
> Sonali
>
>
>
>
>
>
>
>
>
> --
> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html



Mime
View raw message