Hi Frein, Please use rather the user ML for such questions. There have been a large effort regarding security issues, refer to https://issues.apache.org/jira/browse/OFBIZ-1525
Jacques ----- Original Message ----- From: Frein Mccain To: Jacques Le Roux Sent: Thursday, December 09, 2010 2:54 PM Subject: Re: OFBiz security issues. Jacques, I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I am facing the same issue because I am using old code base. In this post you've post the commented that "this issue has been Fixed by recent security efforts", what does it mean ? I tried to search for patch for the fix so that I can make changes in my code...can you please help on this? On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux <[email protected]> wrote: Frein, Did you check David's suggestion? Jacques From: "Frein Mccain" <[email protected]> Jacques, I am using 9.04 release. On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux < [email protected]> wrote: Which release.revision have you used? Jacques From: "Frein Mccain" <[email protected]> I've developed an application on OFBiz and found some security issues during testing. Here are the list : *A. Information Leakage through persistent cookies : The web application stores sensitive session information in a permanent cookie (on disk)* ** *Impact of this issue :* ** • This information may be compromised or used for identity theft or user impersonation. • The account information may be stolen and used later by a malicious user. I've checked the Set-Cookie header, and found that the session id cookie has a future expiration date. So, my question is that why OFBiz stores sensitive information in persistent cookies instead of non-permanent cookie(RAM cookies) only and how to fix it. ** *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The Secure attribute for sensitive cookies in HTTPS sessions is not set* ** *Impact:* ** • It is possible to move the ability to enforce the cookie logic to the client-side (the browser). This could allow an attacker to send cookies he/she is not authorized to send. I've checked the the Set-Cookie header, and found that the "secure" attribute is missing. Is there any property file where I can set that "secure" attribute for the cookie. Cheers, Frein
