Re: [MODERATE EMAIL] Security threats in OFbiz

Mon, 12 Mar 2018 02:31:13 -0700 

Thanks Aditya,

session-config is used to disable jsessionId in url.



Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com
www.hotwax.co

On Mon, Mar 12, 2018 at 2:52 PM, Aditya Sharma <
aditya.sha...@hotwaxsystems.com> wrote:

> Hi Sonali Agrahari,
>
> You can set security.login.externalLoginKey.enabled to false in the
> security.properties file for it.
>
> Or
>
> You can also prepare & load data for SystemProperty entity.
> <SystemProperty systemResourceId="security"
> systemPropertyId="security.login.externalLoginKey.enabled"
> systemPropertyValue="false"/>
>
> HTH
>
> Thanks and Regards,
>
> *Aditya Sharma* | Enterprise Software Engineer
> HotWax Commerce <http://www.hotwax.co/> by HotWax Systems
> <http://www.hotwaxsystems.com/>
>
> <https://www.linkedin.com/in/aditya-sharma-78291810a/>
>
> On Mon, Mar 12, 2018 at 2:36 PM, Deepak Dixit <
> deepak.di...@hotwaxsystems.com> wrote:
>
> > Hi Sonali Agrahari
> >
> > Your email has been moderated,  Please subscribe to mailing list
> > http://ofbiz.apache.org/mailing-lists.html
> >
> >
> > Could you please share which ofbiz version you are using?
> > You can configure it using  session-config config in web.xml.
> >
> >
> > Thanks & Regards
> > --
> > Deepak Dixit
> > www.hotwaxsystems.com
> > www.hotwax.co
> >
> > ---------- Forwarded message ----------
> > From: Sonali Agrahari <sonaliagraha...@gmail.com>
> > To: user@ofbiz.apache.org
> > Cc:
> > Bcc:
> > Date: Mon, 12 Mar 2018 01:50:52 -0700 (MST)
> > Subject: Security threats in OFbiz
> > Hello all ,
> >
> >    How we can  resolve  " Privilege Escalation using an Under-Privileged
> > User " security issue  i,e
> > After logged-in to application , URL with its external login key of that
> > web
> > page are copied to other browser, then that web page will be opened
> without
> > login and we can access whole application.
> >
> > How it can be resolved ..
> >
> > Kindly help.
> >
> >
> > Thank you
> >
> > Regards ,
> >
> > Sonali Agrahari
> >
> >
> >
> >
> >
> >
> > --
> > Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
> >
>

Reply via email to