OK, you provided links to demo-old.ofbiz which is actually R09.04 (exactly
release09.04-1303717)
But the same is still true in trunk, I checked.
Now, I may be missing something, but I don't see how the
javax.servlet.request.ssl_session would exposes any security holes.
It's not related to the session (jsessionId). Just an Id part of SSL and OFBiz don't use it at all. Hence it's not used in any
session related mechanism.
So my answer would be: there is no security hole regarding javax.servlet.request.ssl_session (id) exposed in a json result (the
request being protected or not)
Did you have something in mind?
Jacques
From: "Boris Hamanov" <[email protected]>
Just do
1. https://demo-old.ofbiz.apache.org/ecommerce/control/viewSimpleContent
2. https://demo-old.ofbiz.apache.org/ecommerce/control/getConfigDetailsEvent
3. You get:
{"targetRequestUri":"/getConfigDetailsEvent","javax.servlet.request.key_size":256,"_CONTEXT_ROOT_":"/home/ofbiz/branch9/specialpurpose/ecommerce/webapp/ecommerce/","javax.servlet.request.ssl_session":"E3193F0DADE7779A321E3339D8BC0D7420B9DB29283CCFFDC3C8782C0B4E12B9","_SERVER_ROOT_URL_":"https://demo-old.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","javax.servlet.request.cipher_suite":"DHE-RSA-AES256-SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper
is null"}
4. Use your imagination :)
-----Original Message-----
From: Jacques Le Roux
Date: 04 април 2012 г. 20:43 ч.
To: [email protected]
Subject: Re: Dangerous security hole?
From trunk demo, I get only
{"targetRequestUri":"/getConfigDetailsEvent","_CONTEXT_ROOT_":"/home/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/","_FORWARDED_FROM_SERVLET_":true,"_SERVER_ROOT_URL_":"http://demo-trunk.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","thisRequestUri":"json","_ERROR_MESSAGE_":"configWrapper
is null"}
Could you reproduce there?
Jacques
From: "Boris Hamanov" <[email protected]>
This one is in ecommerce controller.xml
<request-map uri="getConfigDetailsEvent">
<security https="false" auth="false"/>
<event type="jsonjava" path="org.ofbiz.order.shoppingcart.ShoppingCartEvents"
invoke="getConfigDetailsEvent"/>
<response name="success" type="none"/>
<response name="error" type="none"/>
</request-map>
I believe it is very severe security thread as it does not require
authentication and returns the session amongst many other
things:
{"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper
is null"}
