How to resolve CSRF attack

> Hi Sonali,
>
> this is not a vulnerability.
>
> You are logged in and posting a request from the same browser with the
> same session. There is no chance for OFBiz to make a distiction between a
> request initiated from an OFBiz generated page or any other page (like your
> webmail) from the same browser/session.
>
> Regards,
>
> Michael
>
>
> Am 16.04.18 um 06:08 schrieb Sonali Agrahari:
>
> Hello all,
>>
>>    I am using OFBiz 12.04 version in my application.
>>    When logged in to the application as admin user and open web mail in
>> another browser , suppose we received a mail  which have link
>> http://xyz.com/activate.html .
>> The links points to html file as :
>>
>> <html>
>>   <head>
>>    </head>
>> <body>
>>    <form action =
>> "https://localhost:8443/catalog/control/CreateProductCategory" name =
>> "f1"
>> id = "f1" method = "post">
>>       <input type = "hidden" name = "sectorName" id = "sectorName" value =
>> "SECTOR" >
>>        <input type = "hidden" name = "productName" id = "productName"
>> value =
>> "PRODUCT" >
>>    </form>
>>
>> </body>
>> </html>
>>
>> The user clicks on this link while he has logged on to the application. As
>> the crafted form is doing a post request in a valid session, the requested
>> post gets executed and result will be displayed i.e. all values will be
>> inserted in database properly.
>> And the link gets opened in other tab of same browser.
>>
>> How can resolve this type of vulnerability.
>> Kindly help.
>>
>>
>> Thanks & regards
>> Sonali
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>>
>
>
>

> Hello all,
>
>   I am using OFBiz 12.04 version in my application.
>   When logged in to the application as admin user and open web mail in
> another browser , suppose we received a mail  which have link
> http://xyz.com/activate.html .
> The links points to html file as :
>
> <html>
>  <head>
>
> </head>
> <body>
>   <form action =
> "https://localhost:8443/catalog/control/CreateProductCategory" name = "f1"
> id = "f1" method = "post">
>      <input type = "hidden" name = "sectorName" id = "sectorName" value =
> "SECTOR" >
>       <input type = "hidden" name = "productName" id = "productName" value
> =
> "PRODUCT" >
>   </form>
>
> </body>
> </html>
>
> The user clicks on this link while he has logged on to the application. As
> the crafted form is doing a post request in a valid session, the requested
> post gets executed and result will be displayed i.e. all values will be
> inserted in database properly.
> And the link gets opened in other tab of same browser.
>
> How can resolve this type of vulnerability.
> Kindly help.
>
>
> Thanks & regards
> Sonali
>
>
>
>
>
>
>
>
>
> --
> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>

> What does yoyr message has been moderated mean?
>
> On Mon, Apr 16, 2018, 3:00 AM Sonali Agrahari, <[hidden email]>
> wrote:
>
>> Hello all,
>>
>>    I am using OFBiz 12.04 version in my application.
>>    When logged in to the application as admin user and open web mail in
>> another browser , suppose we received a mail  which have link
>> http://xyz.com/activate.html .
>> The links points to html file as :
>>
>> <html>
>>   <head>
>>
>> </head>
>> <body>
>>    <form action =
>> "https://localhost:8443/catalog/control/CreateProductCategory" name = "f1"
>> id = "f1" method = "post">
>>       <input type = "hidden" name = "sectorName" id = "sectorName" value =
>> "SECTOR" >
>>        <input type = "hidden" name = "productName" id = "productName" value
>> =
>> "PRODUCT" >
>>    </form>
>>
>> </body>
>> </html>
>>
>> The user clicks on this link while he has logged on to the application. As
>> the crafted form is doing a post request in a valid session, the requested
>> post gets executed and result will be displayed i.e. all values will be
>> inserted in database properly.
>> And the link gets opened in other tab of same browser.
>>
>> How can resolve this type of vulnerability.
>> Kindly help.
>>
>>
>> Thanks & regards
>> Sonali
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>>

> Hi Michael,
>
> I would say it is a vulnerability. OFBiz could make this distinction if we
> add a hidden field to each form with a unique hash, and verify the hash is
> correct when processing a POST. A spoofed form wouldn't have the right hash.
>
> We are already using some of the OWASP (Open Web Application Security
> Project, owasp.org) classes. They also have a library for CSRF prevention:
> https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project . Would
> this be useful?
>
> Cheers
>
> Paul Foxworthy
>
> On 16 April 2018 at 19:22, Michael Brohl <[hidden email]> wrote:
>
>> Hi Sonali,
>>
>> this is not a vulnerability.
>>
>> You are logged in and posting a request from the same browser with the
>> same session. There is no chance for OFBiz to make a distiction between a
>> request initiated from an OFBiz generated page or any other page (like your
>> webmail) from the same browser/session.
>>
>> Regards,
>>
>> Michael
>>
>>
>> Am 16.04.18 um 06:08 schrieb Sonali Agrahari:
>>
>> Hello all,
>>>     I am using OFBiz 12.04 version in my application.
>>>     When logged in to the application as admin user and open web mail in
>>> another browser , suppose we received a mail  which have link
>>> http://xyz.com/activate.html .
>>> The links points to html file as :
>>>
>>> <html>
>>>    <head>
>>>     </head>
>>> <body>
>>>     <form action =
>>> "https://localhost:8443/catalog/control/CreateProductCategory" name =
>>> "f1"
>>> id = "f1" method = "post">
>>>        <input type = "hidden" name = "sectorName" id = "sectorName" value =
>>> "SECTOR" >
>>>         <input type = "hidden" name = "productName" id = "productName"
>>> value =
>>> "PRODUCT" >
>>>     </form>
>>>
>>> </body>
>>> </html>
>>>
>>> The user clicks on this link while he has logged on to the application. As
>>> the crafted form is doing a post request in a valid session, the requested
>>> post gets executed and result will be displayed i.e. all values will be
>>> inserted in database properly.
>>> And the link gets opened in other tab of same browser.
>>>
>>> How can resolve this type of vulnerability.
>>> Kindly help.
>>>
>>>
>>> Thanks & regards
>>> Sonali
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>>>
>>
>>
>

> It means that the person sends a message to the ML w/o being subscribed to
> it. So we (moderators) have to allow this message to pass.
>
> Jacques
>
>
> Le 17/04/2018 à 04:49, Chris Clark a écrit :
> > What does yoyr message has been moderated mean?
> >
> > On Mon, Apr 16, 2018, 3:00 AM Sonali Agrahari, <
> [hidden email]>
> > wrote:
> >
> >> Hello all,
> >>
> >>    I am using OFBiz 12.04 version in my application.
> >>    When logged in to the application as admin user and open web mail in
> >> another browser , suppose we received a mail  which have link
> >> http://xyz.com/activate.html .
> >> The links points to html file as :
> >>
> >> <html>
> >>   <head>
> >>
> >> </head>
> >> <body>
> >>    <form action =
> >> "https://localhost:8443/catalog/control/CreateProductCategory" name =
> "f1"
> >> id = "f1" method = "post">
> >>       <input type = "hidden" name = "sectorName" id = "sectorName"
> value =
> >> "SECTOR" >
> >>        <input type = "hidden" name = "productName" id = "productName"
> value
> >> =
> >> "PRODUCT" >
> >>    </form>
> >>
> >> </body>
> >> </html>
> >>
> >> The user clicks on this link while he has logged on to the application.
> As
> >> the crafted form is doing a post request in a valid session, the
> requested
> >> post gets executed and result will be displayed i.e. all values will be
> >> inserted in database properly.
> >> And the link gets opened in other tab of same browser.
> >>
> >> How can resolve this type of vulnerability.
> >> Kindly help.
> >>
> >>
> >> Thanks & regards
> >> Sonali
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
> >>
>
>