hmmm. no result on my public shop setups (but I tend to clean up control.xml for unused stuff). Can you reproduce on the demo sites ? Your tests seems to be on localhost.
Regards Carsten 2012/4/4 Mike <[email protected]>: > Wouldn't you need to know the session id? If you call it, it would only > return the data of your own session. Maybe someone else with more > experience can comment. > > On Tue, Apr 3, 2012 at 12:44 PM, Boris Hamanov <[email protected]> wrote: > >> This one is in ecommerce controller.xml >> >> <request-map uri="getConfigDetailsEvent"> >> <security https="false" auth="false"/> >> <event type="jsonjava" >> path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" >> invoke="getConfigDetailsEvent"/> >> <response name="success" type="none"/> >> <response name="error" type="none"/> >> </request-map> >> >> I believe it is very severe security thread as it does not require >> authentication and returns the session amongst many other things: >> >> >> {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":" >> https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper >> is null"} -- Best Carsten Schinzer Plankstettenstr. 7 80638 München Germany
