Wouldn't you need to know the session id? If you call it, it would only return the data of your own session. Maybe someone else with more experience can comment.
On Tue, Apr 3, 2012 at 12:44 PM, Boris Hamanov <[email protected]> wrote: > This one is in ecommerce controller.xml > > <request-map uri="getConfigDetailsEvent"> > <security https="false" auth="false"/> > <event type="jsonjava" > path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" > invoke="getConfigDetailsEvent"/> > <response name="success" type="none"/> > <response name="error" type="none"/> > </request-map> > > I believe it is very severe security thread as it does not require > authentication and returns the session amongst many other things: > > > {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":" > https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper > is null"}
