I've developed an application on OFBiz and found some security issues during testing. Here are the list :
*A. Information Leakage through persistent cookies : The web application stores sensitive session information in a permanent cookie (on disk)* ** *Impact of this issue :* ** • This information may be compromised or used for identity theft or user impersonation. • The account information may be stolen and used later by a malicious user. I've checked the Set-Cookie header, and found that the session id cookie has a future expiration date. So, my question is that why OFBiz stores sensitive information in persistent cookies instead of non-permanent cookie(RAM cookies) only and how to fix it. ** *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The Secure attribute for sensitive cookies in HTTPS sessions is not set* ** *Impact:* ** • It is possible to move the ability to enforce the cookie logic to the client-side (the browser). This could allow an attacker to send cookies he/she is not authorized to send. I've checked the the Set-Cookie header, and found that the "secure" attribute is missing. Is there any property file where I can set that "secure" attribute for the cookie. Cheers, Frein
