Thanks Anil !!! On Thu, Dec 16, 2010 at 12:29 PM, Anil Soni <[email protected]>wrote:
> Frein, > > Refer this link > http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.phpfor > cross site scripting solution. > > > > -----Original Message----- > From: Frein Mccain [mailto:[email protected]] > Sent: Monday, December 13, 2010 7:14 PM > To: [email protected] > Subject: Re: OFBiz security issues. > > My system is up and running with old code base of OFBiz and I am facing > Cross-Site-Scripting security issue. I've referred the issue > https://issues.apache.org/jira/browse/OFBIZ-1525 but not able to get the > fix > for the issue. > > Can anybody tell is this issue fixed in latest code, if yes than can you > share some patch or commit version so that I can make changes in my code to > fix fit. > > @ David : I've checked the browser cookie and found that the session id > cookie has a future expiration date and there is no secure attribute. > > And I am using embedded Tomcat server only. Do you have any idea about > cookie setting ? > > > > On Thu, Dec 9, 2010 at 9:39 PM, Jacques Le Roux < > [email protected]> wrote: > > > Hi Frein, > > > > Please use rather the user ML for such questions. There have been a large > > effort regarding security issues, refer to > > https://issues.apache.org/jira/browse/OFBIZ-1525 > > > > Jacques > > > > ----- Original Message ----- > > *From:* Frein Mccain <[email protected]> > > *To:* Jacques Le Roux <[email protected]> > > *Sent:* Thursday, December 09, 2010 2:54 PM > > *Subject:* Re: OFBiz security issues. > > > > Jacques, > > > > I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I > am > > facing the same issue because I am using old code base. > > In this post you've post the commented that "this issue has been Fixed by > > recent security efforts", what does it mean ? > > > > I tried to search for patch for the fix so that I can make changes in my > > code...can you please help on this? > > > > On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux < > > [email protected]> wrote: > > > >> Frein, > >> > >> Did you check David's suggestion? > >> > >> > >> Jacques > >> > >> From: "Frein Mccain" <[email protected]> > >> Jacques, > >> > >> I am using 9.04 release. > >> > >> On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux < > >> [email protected]> wrote: > >> > >> Which release.revision have you used? > >>> > >>> Jacques > >>> > >>> From: "Frein Mccain" <[email protected]> > >>> > >>> I've developed an application on OFBiz and found some security issues > >>> during > >>> testing. Here are the list : > >>> > >>> *A. Information Leakage through persistent cookies : The web > application > >>> stores sensitive session information in a permanent cookie (on disk)* > >>> ** > >>> *Impact of this issue :* > >>> ** > >>> * This information may be compromised or used for identity theft or > user > >>> impersonation. > >>> * The account information may be stolen and used later by a malicious > >>> user. > >>> > >>> I've checked the Set-Cookie header, and found that the session id > cookie > >>> has > >>> a future expiration date. > >>> So, my question is that why OFBiz stores sensitive information in > >>> persistent > >>> cookies instead of non-permanent cookie(RAM cookies) only and how to > fix > >>> it. > >>> ** > >>> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The > >>> Secure attribute for sensitive cookies in HTTPS sessions is not set* > >>> ** > >>> *Impact:* > >>> ** > >>> * It is possible to move the ability to enforce the cookie logic to > the > >>> client-side (the browser). This could allow an attacker to send cookies > >>> he/she is > >>> not authorized to send. > >>> > >>> I've checked the the Set-Cookie header, and found that the "secure" > >>> attribute is missing. > >>> > >>> Is there any property file where I can set that "secure" attribute for > >>> the > >>> cookie. > >>> > >>> > >>> Cheers, > >>> Frein > >>> > >>> > >>> > >>> > >> > >> > > > > ______________________________________________________________________ > > The contents of this e-mail and any attachment(s) may contain confidential > or privileged information for the intended recipient(s). Unintended > recipients are prohibited from taking action on the basis of information in > this e-mail and using or disseminating the information, and must notify > the sender and delete it from their system. L&T Infotech will not accept > responsibility or liability for the accuracy or completeness of, or the > presence of any virus or disabling code in this e-mail" > > ______________________________________________________________________ >
