Frein, Refer this link http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php for cross site scripting solution.
-----Original Message----- From: Frein Mccain [mailto:[email protected]] Sent: Monday, December 13, 2010 7:14 PM To: [email protected] Subject: Re: OFBiz security issues. My system is up and running with old code base of OFBiz and I am facing Cross-Site-Scripting security issue. I've referred the issue https://issues.apache.org/jira/browse/OFBIZ-1525 but not able to get the fix for the issue. Can anybody tell is this issue fixed in latest code, if yes than can you share some patch or commit version so that I can make changes in my code to fix fit. @ David : I've checked the browser cookie and found that the session id cookie has a future expiration date and there is no secure attribute. And I am using embedded Tomcat server only. Do you have any idea about cookie setting ? On Thu, Dec 9, 2010 at 9:39 PM, Jacques Le Roux < [email protected]> wrote: > Hi Frein, > > Please use rather the user ML for such questions. There have been a large > effort regarding security issues, refer to > https://issues.apache.org/jira/browse/OFBIZ-1525 > > Jacques > > ----- Original Message ----- > *From:* Frein Mccain <[email protected]> > *To:* Jacques Le Roux <[email protected]> > *Sent:* Thursday, December 09, 2010 2:54 PM > *Subject:* Re: OFBiz security issues. > > Jacques, > > I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I am > facing the same issue because I am using old code base. > In this post you've post the commented that "this issue has been Fixed by > recent security efforts", what does it mean ? > > I tried to search for patch for the fix so that I can make changes in my > code...can you please help on this? > > On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux < > [email protected]> wrote: > >> Frein, >> >> Did you check David's suggestion? >> >> >> Jacques >> >> From: "Frein Mccain" <[email protected]> >> Jacques, >> >> I am using 9.04 release. >> >> On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux < >> [email protected]> wrote: >> >> Which release.revision have you used? >>> >>> Jacques >>> >>> From: "Frein Mccain" <[email protected]> >>> >>> I've developed an application on OFBiz and found some security issues >>> during >>> testing. Here are the list : >>> >>> *A. Information Leakage through persistent cookies : The web application >>> stores sensitive session information in a permanent cookie (on disk)* >>> ** >>> *Impact of this issue :* >>> ** >>> * This information may be compromised or used for identity theft or user >>> impersonation. >>> * The account information may be stolen and used later by a malicious >>> user. >>> >>> I've checked the Set-Cookie header, and found that the session id cookie >>> has >>> a future expiration date. >>> So, my question is that why OFBiz stores sensitive information in >>> persistent >>> cookies instead of non-permanent cookie(RAM cookies) only and how to fix >>> it. >>> ** >>> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The >>> Secure attribute for sensitive cookies in HTTPS sessions is not set* >>> ** >>> *Impact:* >>> ** >>> * It is possible to move the ability to enforce the cookie logic to the >>> client-side (the browser). This could allow an attacker to send cookies >>> he/she is >>> not authorized to send. >>> >>> I've checked the the Set-Cookie header, and found that the "secure" >>> attribute is missing. >>> >>> Is there any property file where I can set that "secure" attribute for >>> the >>> cookie. >>> >>> >>> Cheers, >>> Frein >>> >>> >>> >>> >> >> > ______________________________________________________________________ The contents of this e-mail and any attachment(s) may contain confidential or privileged information for the intended recipient(s). Unintended recipients are prohibited from taking action on the basis of information in this e-mail and using or disseminating the information, and must notify the sender and delete it from their system. L&T Infotech will not accept responsibility or liability for the accuracy or completeness of, or the presence of any virus or disabling code in this e-mail" ______________________________________________________________________
