Re: Dangerous security hole?

Thu, 05 Apr 2012 12:00:19 -0700 

Just do

1. https://demo-old.ofbiz.apache.org/ecommerce/control/viewSimpleContent
2. https://demo-old.ofbiz.apache.org/ecommerce/control/getConfigDetailsEvent

3. You get:
{"targetRequestUri":"/getConfigDetailsEvent","javax.servlet.request.key_size":256,"_CONTEXT_ROOT_":"/home/ofbiz/branch9/specialpurpose/ecommerce/webapp/ecommerce/","javax.servlet.request.ssl_session":"E3193F0DADE7779A321E3339D8BC0D7420B9DB29283CCFFDC3C8782C0B4E12B9","_SERVER_ROOT_URL_":"https://demo-old.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","javax.servlet.request.cipher_suite":"DHE-RSA-AES256-SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper is null"} 

4. Use your imagination :)
-----Original Message----- From: Jacques Le Roux 
Date: 04 април 2012 г. 20:43 ч.
To: user@ofbiz.apache.org
Subject: Re: Dangerous security hole?


From trunk demo, I get only

{"targetRequestUri":"/getConfigDetailsEvent","_CONTEXT_ROOT_":"/home/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/","_FORWARDED_FROM_SERVLET_":true,"_SERVER_ROOT_URL_":"http://demo-trunk.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","thisRequestUri":"json","_ERROR_MESSAGE_":"configWrapper
is null"}

Could you reproduce there?

Jacques

From: "Boris Hamanov" <bsh...@gmail.com>
This one is in ecommerce controller.xml

<request-map uri="getConfigDetailsEvent">
<security https="false" auth="false"/>
<event type="jsonjava" path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="getConfigDetailsEvent"/> 
<response name="success" type="none"/>
<response name="error" type="none"/>
</request-map>
I believe it is very severe security thread as it does not require authentication and returns the session amongst many other things: 

{"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper
is null"}

Reply via email to