Hi Michael, I would say it is a vulnerability. OFBiz could make this distinction if we add a hidden field to each form with a unique hash, and verify the hash is correct when processing a POST. A spoofed form wouldn't have the right hash.
We are already using some of the OWASP (Open Web Application Security Project, owasp.org) classes. They also have a library for CSRF prevention: https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project . Would this be useful? Cheers Paul Foxworthy On 16 April 2018 at 19:22, Michael Brohl <[email protected]> wrote: > Hi Sonali, > > this is not a vulnerability. > > You are logged in and posting a request from the same browser with the > same session. There is no chance for OFBiz to make a distiction between a > request initiated from an OFBiz generated page or any other page (like your > webmail) from the same browser/session. > > Regards, > > Michael > > > Am 16.04.18 um 06:08 schrieb Sonali Agrahari: > > Hello all, >> >> I am using OFBiz 12.04 version in my application. >> When logged in to the application as admin user and open web mail in >> another browser , suppose we received a mail which have link >> http://xyz.com/activate.html . >> The links points to html file as : >> >> <html> >> <head> >> </head> >> <body> >> <form action = >> "https://localhost:8443/catalog/control/CreateProductCategory"; name = >> "f1" >> id = "f1" method = "post"> >> <input type = "hidden" name = "sectorName" id = "sectorName" value = >> "SECTOR" > >> <input type = "hidden" name = "productName" id = "productName" >> value = >> "PRODUCT" > >> </form> >> >> </body> >> </html> >> >> The user clicks on this link while he has logged on to the application. As >> the crafted form is doing a post request in a valid session, the requested >> post gets executed and result will be displayed i.e. all values will be >> inserted in database properly. >> And the link gets opened in other tab of same browser. >> >> How can resolve this type of vulnerability. >> Kindly help. >> >> >> Thanks & regards >> Sonali >> >> >> >> >> >> >> >> >> >> -- >> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html >> > > > -- Coherent Software Australia Pty Ltd PO Box 2773 Cheltenham Vic 3192 Australia Phone: +61 3 9585 6788 Web: http://www.coherentsoftware.com.au/ Email: [email protected]
