[ 
https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17058978#comment-17058978
 ] 

Jacques Le Roux edited comment on OFBIZ-4956 at 3/13/20, 6:26 PM:
------------------------------------------------------------------

It's better to close all possible holes, a request without authentication is an 
opened door to XSS... Few cases need "false", like login related requests of 
course...


was (Author: jacques.le.roux):
It's better to close all holes, a request without authentication is an opened 
door to XSS...

> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4956
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4956
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Release Branch 11.04, Release Branch 12.04, Release 
> Branch 13.07, Trunk
>            Reporter: Amardeep Singh Jhajj
>            Assignee: Jacques Le Roux
>            Priority: Major
>         Attachments: OFBIZ-4956-Release-10.04.patch, 
> OFBIZ-4956-Release-11.04.patch, OFBIZ-4956.patch
>
>
> Currently there are some url present in application components with 
> auth="false". So anyone can hit this urls and can access any resources 
> without authorization. 
> For Example - 
> https://demo-trunk.ofbiz.apache.org:8443/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
> Currently, the above url does not need authorization (you can access any 
> resource by changing the dataResourceId). I think all the url should be 
> secure with auth="true" and https="true" in all the application components. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to