Le 18/07/2020 à 11:34, Jacques Le Roux a écrit :
Le 13/07/2020 à 14:50, Jacques Le Roux a écrit :
Something related I already shared in the security ML:
I guess we don't want to change (I don't mean the NOTE but the feature).
// NOTE: must check permission first so that admin users can set
Le 13/07/2020 à 14:50, Jacques Le Roux a écrit :
Something related I already shared in the security ML:
I guess we don't want to change (I don't mean the NOTE but the feature).
// NOTE: must check permission first so that admin users can set own
password without specifying old password
I
Hi James,
Inline...
Le 13/07/2020 à 08:36, James Yong a écrit :
Hi Jacques,
There is a number of reports relating to CSRF.
To reduce the number of false positive security alerts, I think the CSRF
defense should be turned on in the demo.
The OFBiz specific CSRF defense exists only in trunk
Le 12/07/2020 à 13:07, Jacques Le Roux a écrit :
Hi team,
We recently got a security report about checkNewPassword where it was claimed a
CSRF vulnerability because of ignoreCurrentPassword but I rejected it.
I have though added a comment in trunk to allow users to adds OFBiz specific
CSRF
Hi Girish,
Le 13/07/2020 à 05:48, Girish Vasmatkar a écrit :
Hi Jacques
I think the vulnerability does not exist if the CSRF defence is in place.
Yes I already answered the same to the reporter and he agreed.
If there is no defence in place, there is a possibility of using system
account
Hi Jacques,
There is a number of reports relating to CSRF.
To reduce the number of false positive security alerts, I think the CSRF
defense should be turned on in the demo.
I feel there should be additional verification like checking current password
when the user is doing password change.
Hi Jacques
I think the vulnerability does not exist if the CSRF defence is in place.
If there is no defence in place, there is a possibility of using system
account session to change the admin password.
As for bypassing current password check if the user is admin, it won't hurt
if the check was
Hi team,
We recently got a security report about checkNewPassword where it was claimed a
CSRF vulnerability because of ignoreCurrentPassword but I rejected it.
I have though added a comment in trunk to allow users to adds OFBiz specific
CSRF defense in case it would be needed (peculiar