Dangerous security hole?
Locked
 
|
This one is in ecommerce controller.xml
<request-map uri="getConfigDetailsEvent"> <security https="false" auth="false"/> <event type="jsonjava" path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="getConfigDetailsEvent"/> <response name="success" type="none"/> <response name="error" type="none"/> </request-map> I believe it is very severe security thread as it does not require authentication and returns the session amongst many other things: {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper is null"} |
|
|
Wouldn't you need to know the session id? If you call it, it would only
return the data of your own session. Maybe someone else with more experience can comment. On Tue, Apr 3, 2012 at 12:44 PM, Boris Hamanov <[hidden email]> wrote: > This one is in ecommerce controller.xml > > <request-map uri="getConfigDetailsEvent"> > <security https="false" auth="false"/> > <event type="jsonjava" > path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" > invoke="getConfigDetailsEvent"/> > <response name="success" type="none"/> > <response name="error" type="none"/> > </request-map> > > I believe it is very severe security thread as it does not require > authentication and returns the session amongst many other things: > > > {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":" > https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper > is null"} |
|
|
hmmm. no result on my public shop setups (but I tend to clean up
control.xml for unused stuff). Can you reproduce on the demo sites ? Your tests seems to be on localhost. Regards Carsten 2012/4/4 Mike <[hidden email]>: > Wouldn't you need to know the session id? If you call it, it would only > return the data of your own session. Maybe someone else with more > experience can comment. > > On Tue, Apr 3, 2012 at 12:44 PM, Boris Hamanov <[hidden email]> wrote: > >> This one is in ecommerce controller.xml >> >> <request-map uri="getConfigDetailsEvent"> >> <security https="false" auth="false"/> >> <event type="jsonjava" >> path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" >> invoke="getConfigDetailsEvent"/> >> <response name="success" type="none"/> >> <response name="error" type="none"/> >> </request-map> >> >> I believe it is very severe security thread as it does not require >> authentication and returns the session amongst many other things: >> >> >> {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":" >> https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper >> is null"} -- Best Carsten Schinzer Plankstettenstr. 7 80638 München Germany |
Administrator
|
In reply to this post by Boris Hamanov
From trunk demo, I get only
{"targetRequestUri":"/getConfigDetailsEvent","_CONTEXT_ROOT_":"/home/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/","_FORWARDED_FROM_SERVLET_":true,"_SERVER_ROOT_URL_":"http://demo-trunk.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","thisRequestUri":"json","_ERROR_MESSAGE_":"configWrapper is null"} Could you reproduce there? Jacques From: "Boris Hamanov" <[hidden email]> This one is in ecommerce controller.xml <request-map uri="getConfigDetailsEvent"> <security https="false" auth="false"/> <event type="jsonjava" path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="getConfigDetailsEvent"/> <response name="success" type="none"/> <response name="error" type="none"/> </request-map> I believe it is very severe security thread as it does not require authentication and returns the session amongst many other things: {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper is null"} |
|
|
Just do
1. https://demo-old.ofbiz.apache.org/ecommerce/control/viewSimpleContent 2. https://demo-old.ofbiz.apache.org/ecommerce/control/getConfigDetailsEvent 3. You get: {"targetRequestUri":"/getConfigDetailsEvent","javax.servlet.request.key_size":256,"_CONTEXT_ROOT_":"/home/ofbiz/branch9/specialpurpose/ecommerce/webapp/ecommerce/","javax.servlet.request.ssl_session":"E3193F0DADE7779A321E3339D8BC0D7420B9DB29283CCFFDC3C8782C0B4E12B9","_SERVER_ROOT_URL_":"https://demo-old.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","javax.servlet.request.cipher_suite":"DHE-RSA-AES256-SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper is null"} 4. Use your imagination :) -----Original Message----- From: Jacques Le Roux Date: 04 април 2012 г. 20:43 ч. To: [hidden email] Subject: Re: Dangerous security hole? From trunk demo, I get only {"targetRequestUri":"/getConfigDetailsEvent","_CONTEXT_ROOT_":"/home/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/","_FORWARDED_FROM_SERVLET_":true,"_SERVER_ROOT_URL_":"http://demo-trunk.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","thisRequestUri":"json","_ERROR_MESSAGE_":"configWrapper is null"} Could you reproduce there? Jacques From: "Boris Hamanov" <[hidden email]> This one is in ecommerce controller.xml <request-map uri="getConfigDetailsEvent"> <security https="false" auth="false"/> <event type="jsonjava" path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="getConfigDetailsEvent"/> <response name="success" type="none"/> <response name="error" type="none"/> </request-map> I believe it is very severe security thread as it does not require authentication and returns the session amongst many other things: {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper is null"} |
|
|
That is just your own session. I first tried the second link and it
returned no session information. The only thing that is questionable (or useful to hackers) is the fact that it returns the physical path of the ofbiz instance (i.e. /home/ofbiz/branch9/... etc), which isn't great. On Thu, Apr 5, 2012 at 11:59 AM, Boris Hamanov <[hidden email]> wrote: > Just do > > 1. https://demo-old.ofbiz.apache.**org/ecommerce/control/** > viewSimpleContent<https://demo-old.ofbiz.apache.org/ecommerce/control/viewSimpleContent> > 2. https://demo-old.ofbiz.apache.**org/ecommerce/control/** > getConfigDetailsEvent<https://demo-old.ofbiz.apache.org/ecommerce/control/getConfigDetailsEvent> > > 3. You get: > {"targetRequestUri":"/**getConfigDetailsEvent","javax.** > servlet.request.key_size":256,**"_CONTEXT_ROOT_":"/home/ofbiz/** > branch9/specialpurpose/**ecommerce/webapp/ecommerce/","** > javax.servlet.request.ssl_**session":"**E3193F0DADE7779A321E3339D8BC0D** > 7420B9DB29283CCFFDC3C8782C0B4E**12B9","_SERVER_ROOT_URL_":"htt** > ps://demo-old.ofbiz.apache.org <https://demo-old.ofbiz.apache.org>** > ","_CONTROL_PATH_":"/**ecommerce/control","javax.** > servlet.request.cipher_suite":**"DHE-RSA-AES256-SHA","**thisRequestUri":"* > *getConfigDetailsEvent","_**ERROR_MESSAGE_":"configWrapper is null"} > > 4. Use your imagination :) > > -----Original Message----- From: Jacques Le Roux > Date: 04 април 2012 г. 20:43 ч. > To: [hidden email] > Subject: Re: Dangerous security hole? > > > From trunk demo, I get only > {"targetRequestUri":"/**getConfigDetailsEvent","_** > CONTEXT_ROOT_":"/home/ofbiz/**trunk/specialpurpose/** > ecommerce/webapp/ecommerce/","**_FORWARDED_FROM_SERVLET_":** > true,"_SERVER_ROOT_URL_":"http**://demo-trunk.ofbiz.apache.org<http://demo-trunk.ofbiz.apache.org> > **","_CONTROL_PATH_":"/**ecommerce/control","**thisRequestUri":"json","_** > ERROR_MESSAGE_":"configWrapper > is null"} > > Could you reproduce there? > > Jacques > > From: "Boris Hamanov" <[hidden email]> > This one is in ecommerce controller.xml > > <request-map uri="getConfigDetailsEvent"> > <security https="false" auth="false"/> > <event type="jsonjava" path="org.ofbiz.order.**shoppingcart.**ShoppingCartEvents" > invoke="getConfigDetailsEvent"**/> > <response name="success" type="none"/> > <response name="error" type="none"/> > </request-map> > > I believe it is very severe security thread as it does not require > authentication and returns the session amongst many other things: > > {"targetRequestUri":"/**ViewSimpleContent","javax.** > servlet.request.key_size":128,**"_CONTEXT_ROOT_":"C:\\apache-** > ofbiz-09.04.01\\hot-deploy\\**ofbec\\webapp\\husastore\\","** > javax.servlet.request.ssl_**session":"**4f7b4cdfbe32ebf5a5017336a8cab9** > 6cdd23161038c8b0c132fab3cb67d0**1d92","_SERVER_ROOT_URL_":"htt** > ps://localhost:8443 <https://localhost:8443>","_** > CONTROL_PATH_":"/husastore/**control","javax.servlet.** > request.cipher_suite":"TLS_**DHE_RSA_WITH_AES_128_CBC_SHA",** > "thisRequestUri":"**getConfigDetailsEvent","_** > ERROR_MESSAGE_":"configWrapper > is null"} > |
|
Administrator
|
In reply to this post by Boris Hamanov
OK, you provided links to demo-old.ofbiz which is actually R09.04 (exactly release09.04-1303717)
But the same is still true in trunk, I checked. Now, I may be missing something, but I don't see how the javax.servlet.request.ssl_session would exposes any security holes. It's not related to the session (jsessionId). Just an Id part of SSL and OFBiz don't use it at all. Hence it's not used in any session related mechanism. So my answer would be: there is no security hole regarding javax.servlet.request.ssl_session (id) exposed in a json result (the request being protected or not) Did you have something in mind? Jacques From: "Boris Hamanov" <[hidden email]> > Just do > > 1. https://demo-old.ofbiz.apache.org/ecommerce/control/viewSimpleContent > 2. https://demo-old.ofbiz.apache.org/ecommerce/control/getConfigDetailsEvent > > 3. You get: > {"targetRequestUri":"/getConfigDetailsEvent","javax.servlet.request.key_size":256,"_CONTEXT_ROOT_":"/home/ofbiz/branch9/specialpurpose/ecommerce/webapp/ecommerce/","javax.servlet.request.ssl_session":"E3193F0DADE7779A321E3339D8BC0D7420B9DB29283CCFFDC3C8782C0B4E12B9","_SERVER_ROOT_URL_":"https://demo-old.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","javax.servlet.request.cipher_suite":"DHE-RSA-AES256-SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper > is null"} > > 4. Use your imagination :) > > -----Original Message----- > From: Jacques Le Roux > Date: 04 април 2012 г. 20:43 ч. > To: [hidden email] > Subject: Re: Dangerous security hole? > > From trunk demo, I get only > {"targetRequestUri":"/getConfigDetailsEvent","_CONTEXT_ROOT_":"/home/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/","_FORWARDED_FROM_SERVLET_":true,"_SERVER_ROOT_URL_":"http://demo-trunk.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","thisRequestUri":"json","_ERROR_MESSAGE_":"configWrapper > is null"} > > Could you reproduce there? > > Jacques > > From: "Boris Hamanov" <[hidden email]> > This one is in ecommerce controller.xml > > <request-map uri="getConfigDetailsEvent"> > <security https="false" auth="false"/> > <event type="jsonjava" path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="getConfigDetailsEvent"/> > <response name="success" type="none"/> > <response name="error" type="none"/> > </request-map> > > I believe it is very severe security thread as it does not require authentication and returns the session amongst many other > things: > > {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper > is null"} |
|
|
The main issue regardless of the URL being hit is that JSON responses return the entire request attribute map. It is IMO a problem that we've always used the request attributes directly to pass data from events to views.
Regards Scott On 6/04/2012, at 10:09 AM, Jacques Le Roux wrote: > OK, you provided links to demo-old.ofbiz which is actually R09.04 (exactly release09.04-1303717) > But the same is still true in trunk, I checked. > > Now, I may be missing something, but I don't see how the javax.servlet.request.ssl_session would exposes any security holes. > It's not related to the session (jsessionId). Just an Id part of SSL and OFBiz don't use it at all. Hence it's not used in any session related mechanism. > > So my answer would be: there is no security hole regarding javax.servlet.request.ssl_session (id) exposed in a json result (the request being protected or not) > > Did you have something in mind? > > Jacques > > > From: "Boris Hamanov" <[hidden email]> >> Just do >> >> 1. https://demo-old.ofbiz.apache.org/ecommerce/control/viewSimpleContent >> 2. https://demo-old.ofbiz.apache.org/ecommerce/control/getConfigDetailsEvent >> >> 3. You get: >> {"targetRequestUri":"/getConfigDetailsEvent","javax.servlet.request.key_size":256,"_CONTEXT_ROOT_":"/home/ofbiz/branch9/specialpurpose/ecommerce/webapp/ecommerce/","javax.servlet.request.ssl_session":"E3193F0DADE7779A321E3339D8BC0D7420B9DB29283CCFFDC3C8782C0B4E12B9","_SERVER_ROOT_URL_":"https://demo-old.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","javax.servlet.request.cipher_suite":"DHE-RSA-AES256-SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper >> is null"} >> >> 4. Use your imagination :) >> >> -----Original Message----- From: Jacques Le Roux >> Date: 04 април 2012 г. 20:43 ч. >> To: [hidden email] >> Subject: Re: Dangerous security hole? >> >> From trunk demo, I get only >> {"targetRequestUri":"/getConfigDetailsEvent","_CONTEXT_ROOT_":"/home/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/","_FORWARDED_FROM_SERVLET_":true,"_SERVER_ROOT_URL_":"http://demo-trunk.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","thisRequestUri":"json","_ERROR_MESSAGE_":"configWrapper >> is null"} >> >> Could you reproduce there? >> >> Jacques >> >> From: "Boris Hamanov" <[hidden email]> >> This one is in ecommerce controller.xml >> >> <request-map uri="getConfigDetailsEvent"> >> <security https="false" auth="false"/> >> <event type="jsonjava" path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="getConfigDetailsEvent"/> >> <response name="success" type="none"/> >> <response name="error" type="none"/> >> </request-map> >> >> I believe it is very severe security thread as it does not require authentication and returns the session amongst many other >> things: >> >> {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper >> is null"} |
«
Return to OFBiz - User
|
1 view|%1 views
| Free forum by Nabble | Edit this page |