Hi Jacques,
Thanks for your reply. I will certainly take a look at the JIRA and will
also try to see we can successfully implement CSRF filter. I will provide
my inputs on the JIRA as well.
Best,
Girish Vasmatkar
HotWax Systems
On Thu, Sep 6, 2018 at 7:19 PM Jacques Le Roux
wrote:
> Hi
Hi Girish,
Sorry, I completely forgot I worked later on that. Please see OFBIZ-10427 where
I again tried the Tomcat CSRF filter w/o success.
It was suggested in the OFBiz security ML by Gregory Draperi (OFBiz committer
specialised in security) that we could handle that ourselves.
Thanks Jacques and Nicolas. I will take this further in the security group
and will soon have updates there. My bad I didn't realise we need to take
it up over there.
Thanks and Best Regards,
Girish Vasmatkar
HotWax Systems
On Mon, Sep 3, 2018 at 1:21 PM Jacques Le Roux
wrote:
> Hi Girish,
>
>
Hi Girish,
Nicolas is right, I just want to say that I already tried to use the CsrfPreventionFilter Tomcat Filter (wrongly noted RestCsrfPreventionFilter in the
link below) without success, please refer to
https://markmail.org/message/r245yie623cdo3wz
Your help is welcome :)
Jacques
Le
Hi Girish,
Thanks for your warm. If you want to detail your please prefer send an
email to secur...@ofbiz.apache.org instead of open an issue to JIRA.
Nicolas
On 02/09/2018 17:36, girish.vasmat...@hotwaxsystems.com wrote:
Hi All
It looks like there is no mechanism to prevent CSRF
Hi All
It looks like there is no mechanism to prevent CSRF attack in ofbiz. If I
am logged in to ofbiz instance on my local and create a sample standalone HTML
page and try to submit to either a GET or a POST ofbiz URL, I am successfully
through and various cookies (applicable to the