That is just your own session. I first tried the second link and it returned no session information. The only thing that is questionable (or useful to hackers) is the fact that it returns the physical path of the ofbiz instance (i.e. /home/ofbiz/branch9/... etc), which isn't great.
On Thu, Apr 5, 2012 at 11:59 AM, Boris Hamanov <bsh...@gmail.com> wrote: > Just do > > 1. https://demo-old.ofbiz.apache.**org/ecommerce/control/** > viewSimpleContent<https://demo-old.ofbiz.apache.org/ecommerce/control/viewSimpleContent> > 2. https://demo-old.ofbiz.apache.**org/ecommerce/control/** > getConfigDetailsEvent<https://demo-old.ofbiz.apache.org/ecommerce/control/getConfigDetailsEvent> > > 3. You get: > {"targetRequestUri":"/**getConfigDetailsEvent","javax.** > servlet.request.key_size":256,**"_CONTEXT_ROOT_":"/home/ofbiz/** > branch9/specialpurpose/**ecommerce/webapp/ecommerce/","** > javax.servlet.request.ssl_**session":"**E3193F0DADE7779A321E3339D8BC0D** > 7420B9DB29283CCFFDC3C8782C0B4E**12B9","_SERVER_ROOT_URL_":"htt** > ps://demo-old.ofbiz.apache.org <https://demo-old.ofbiz.apache.org>** > ","_CONTROL_PATH_":"/**ecommerce/control","javax.** > servlet.request.cipher_suite":**"DHE-RSA-AES256-SHA","**thisRequestUri":"* > *getConfigDetailsEvent","_**ERROR_MESSAGE_":"configWrapper is null"} > > 4. Use your imagination :) > > -----Original Message----- From: Jacques Le Roux > Date: 04 април 2012 г. 20:43 ч. > To: user@ofbiz.apache.org > Subject: Re: Dangerous security hole? > > > From trunk demo, I get only > {"targetRequestUri":"/**getConfigDetailsEvent","_** > CONTEXT_ROOT_":"/home/ofbiz/**trunk/specialpurpose/** > ecommerce/webapp/ecommerce/","**_FORWARDED_FROM_SERVLET_":** > true,"_SERVER_ROOT_URL_":"http**://demo-trunk.ofbiz.apache.org<http://demo-trunk.ofbiz.apache.org> > **","_CONTROL_PATH_":"/**ecommerce/control","**thisRequestUri":"json","_** > ERROR_MESSAGE_":"configWrapper > is null"} > > Could you reproduce there? > > Jacques > > From: "Boris Hamanov" <bsh...@gmail.com> > This one is in ecommerce controller.xml > > <request-map uri="getConfigDetailsEvent"> > <security https="false" auth="false"/> > <event type="jsonjava" > path="org.ofbiz.order.**shoppingcart.**ShoppingCartEvents" > invoke="getConfigDetailsEvent"**/> > <response name="success" type="none"/> > <response name="error" type="none"/> > </request-map> > > I believe it is very severe security thread as it does not require > authentication and returns the session amongst many other things: > > {"targetRequestUri":"/**ViewSimpleContent","javax.** > servlet.request.key_size":128,**"_CONTEXT_ROOT_":"C:\\apache-** > ofbiz-09.04.01\\hot-deploy\\**ofbec\\webapp\\husastore\\","** > javax.servlet.request.ssl_**session":"**4f7b4cdfbe32ebf5a5017336a8cab9** > 6cdd23161038c8b0c132fab3cb67d0**1d92","_SERVER_ROOT_URL_":"htt** > ps://localhost:8443 <https://localhost:8443>","_** > CONTROL_PATH_":"/husastore/**control","javax.servlet.** > request.cipher_suite":"TLS_**DHE_RSA_WITH_AES_128_CBC_SHA",** > "thisRequestUri":"**getConfigDetailsEvent","_** > ERROR_MESSAGE_":"configWrapper > is null"} >
