Hi Michael,

I would say it is a vulnerability. OFBiz could make this distinction if we
add a hidden field to each form with a unique hash, and verify the hash is
correct when processing a POST. A spoofed form wouldn't have the right hash.

We are already using some of the OWASP (Open Web Application Security
Project, owasp.org) classes. They also have a library for CSRF prevention:
https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project . Would
this be useful?

Cheers

Paul Foxworthy

On 16 April 2018 at 19:22, Michael Brohl <michael.br...@ecomify.de> wrote:

> Hi Sonali,
>
> this is not a vulnerability.
>
> You are logged in and posting a request from the same browser with the
> same session. There is no chance for OFBiz to make a distiction between a
> request initiated from an OFBiz generated page or any other page (like your
> webmail) from the same browser/session.
>
> Regards,
>
> Michael
>
>
> Am 16.04.18 um 06:08 schrieb Sonali Agrahari:
>
> Hello all,
>>
>>    I am using OFBiz 12.04 version in my application.
>>    When logged in to the application as admin user and open web mail in
>> another browser , suppose we received a mail  which have link
>> http://xyz.com/activate.html .
>> The links points to html file as :
>>
>> <html>
>>   <head>
>>    </head>
>> <body>
>>    <form action =
>> "https://localhost:8443/catalog/control/CreateProductCategory"; name =
>> "f1"
>> id = "f1" method = "post">
>>       <input type = "hidden" name = "sectorName" id = "sectorName" value =
>> "SECTOR" >
>>        <input type = "hidden" name = "productName" id = "productName"
>> value =
>> "PRODUCT" >
>>    </form>
>>
>> </body>
>> </html>
>>
>> The user clicks on this link while he has logged on to the application. As
>> the crafted form is doing a post request in a valid session, the requested
>> post gets executed and result will be displayed i.e. all values will be
>> inserted in database properly.
>> And the link gets opened in other tab of same browser.
>>
>> How can resolve this type of vulnerability.
>> Kindly help.
>>
>>
>> Thanks & regards
>> Sonali
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>>
>
>
>


-- 
Coherent Software Australia Pty Ltd
PO Box 2773
Cheltenham Vic 3192
Australia

Phone: +61 3 9585 6788
Web: http://www.coherentsoftware.com.au/
Email: i...@coherentsoftware.com.au

Reply via email to