Hi Paul,
I tried hard to use it 9 months ago but did not succeed.
I even then inadvertently committed my then WIP work and then removed it at
http://svn.apache.org/viewvc?view=revision&revision=1799243
I also tried the Tomcat RestCsrfPreventionFilter see my comment in OFBIZ-6766
at https://s.apache.org/ndCd
------------------------------------------------------------------------------------------------------------------------------------------------------
BTW (loosely related) when I worked on Ajax+JWT+CORS (OFBIZ-10307) I tried to use the Tomcat CORS Filter
<https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter> but finally gave up.
It's maybe possible to use these filters the right way.
But like I did for securing cookies (OFBIZ-6655 https://s.apache.org/4bnJ http://svn.apache.org/viewvc?view=revision&revision=1809687) I prefer to
handle it in our code and not depends on Tomcat for that.
YMMV
Sorry for he plain links in text, I have no time to play with [#] link stuff :)
Jacques
Le 17/04/2018 à 02:53, Paul Foxworthy a écrit :
Hi Michael,
I would say it is a vulnerability. OFBiz could make this distinction if we
add a hidden field to each form with a unique hash, and verify the hash is
correct when processing a POST. A spoofed form wouldn't have the right hash.
We are already using some of the OWASP (Open Web Application Security
Project, owasp.org) classes. They also have a library for CSRF prevention:
https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project . Would
this be useful?
Cheers
Paul Foxworthy
On 16 April 2018 at 19:22, Michael Brohl <michael.br...@ecomify.de> wrote:
Hi Sonali,
this is not a vulnerability.
You are logged in and posting a request from the same browser with the
same session. There is no chance for OFBiz to make a distiction between a
request initiated from an OFBiz generated page or any other page (like your
webmail) from the same browser/session.
Regards,
Michael
Am 16.04.18 um 06:08 schrieb Sonali Agrahari:
Hello all,
I am using OFBiz 12.04 version in my application.
When logged in to the application as admin user and open web mail in
another browser , suppose we received a mail which have link
http://xyz.com/activate.html .
The links points to html file as :
<html>
<head>
</head>
<body>
<form action =
"https://localhost:8443/catalog/control/CreateProductCategory"; name =
"f1"
id = "f1" method = "post">
<input type = "hidden" name = "sectorName" id = "sectorName" value =
"SECTOR" >
<input type = "hidden" name = "productName" id = "productName"
value =
"PRODUCT" >
</form>
</body>
</html>
The user clicks on this link while he has logged on to the application. As
the crafted form is doing a post request in a valid session, the requested
post gets executed and result will be displayed i.e. all values will be
inserted in database properly.
And the link gets opened in other tab of same browser.
How can resolve this type of vulnerability.
Kindly help.
Thanks & regards
Sonali
--
Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
