OFBiz OFBiz - User

[MODERATE EMAIL] Security threats in OFbiz

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Deepak Dixit-3
Reply | Threaded
Open this post in threaded view
|

[MODERATE EMAIL] Security threats in OFbiz

Deepak Dixit-3
Hi Sonali Agrahari

Your email has been moderated,  Please subscribe to mailing list
http://ofbiz.apache.org/mailing-lists.html


Could you please share which ofbiz version you are using?
You can configure it using  session-config config in web.xml.


Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com
www.hotwax.co

---------- Forwarded message ----------
From: Sonali Agrahari <[hidden email]>
To: [hidden email]
Cc:
Bcc:
Date: Mon, 12 Mar 2018 01:50:52 -0700 (MST)
Subject: Security threats in OFbiz
Hello all ,

   How we can  resolve  " Privilege Escalation using an Under-Privileged
User " security issue  i,e
After logged-in to application , URL with its external login key of that web
page are copied to other browser, then that web page will be opened without
login and we can access whole application.

How it can be resolved ..

Kindly help.


Thank you

Regards ,

Sonali Agrahari






--
Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
Sonali Agrahari
Reply | Threaded
Open this post in threaded view
|

Re: [MODERATE EMAIL] Security threats in OFbiz

Sonali Agrahari
I am using OFbiz 12.05  version in my application.



--
Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
Aditya Sharma
Reply | Threaded
Open this post in threaded view
|

Re: [MODERATE EMAIL] Security threats in OFbiz

Aditya Sharma
In reply to this post by Deepak Dixit-3
Hi Sonali Agrahari,

You can set security.login.externalLoginKey.enabled to false in the
security.properties file for it.

Or

You can also prepare & load data for SystemProperty entity.
<SystemProperty systemResourceId="security"
systemPropertyId="security.login.externalLoginKey.enabled"
systemPropertyValue="false"/>

HTH

Thanks and Regards,

*Aditya Sharma* | Enterprise Software Engineer
HotWax Commerce <http://www.hotwax.co/> by HotWax Systems
<http://www.hotwaxsystems.com/>

<https://www.linkedin.com/in/aditya-sharma-78291810a/>

On Mon, Mar 12, 2018 at 2:36 PM, Deepak Dixit <
[hidden email]> wrote:

> Hi Sonali Agrahari
>
> Your email has been moderated,  Please subscribe to mailing list
> http://ofbiz.apache.org/mailing-lists.html
>
>
> Could you please share which ofbiz version you are using?
> You can configure it using  session-config config in web.xml.
>
>
> Thanks & Regards
> --
> Deepak Dixit
> www.hotwaxsystems.com
> www.hotwax.co
>
> ---------- Forwarded message ----------
> From: Sonali Agrahari <[hidden email]>
> To: [hidden email]
> Cc:
> Bcc:
> Date: Mon, 12 Mar 2018 01:50:52 -0700 (MST)
> Subject: Security threats in OFbiz
> Hello all ,
>
>    How we can  resolve  " Privilege Escalation using an Under-Privileged
> User " security issue  i,e
> After logged-in to application , URL with its external login key of that
> web
> page are copied to other browser, then that web page will be opened without
> login and we can access whole application.
>
> How it can be resolved ..
>
> Kindly help.
>
>
> Thank you
>
> Regards ,
>
> Sonali Agrahari
>
>
>
>
>
>
> --
> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>
Deepak Dixit-3
Reply | Threaded
Open this post in threaded view
|

Re: [MODERATE EMAIL] Security threats in OFbiz

Deepak Dixit-3
Thanks Aditya,

session-config is used to disable jsessionId in url.



Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com
www.hotwax.co

On Mon, Mar 12, 2018 at 2:52 PM, Aditya Sharma <
[hidden email]> wrote:

> Hi Sonali Agrahari,
>
> You can set security.login.externalLoginKey.enabled to false in the
> security.properties file for it.
>
> Or
>
> You can also prepare & load data for SystemProperty entity.
> <SystemProperty systemResourceId="security"
> systemPropertyId="security.login.externalLoginKey.enabled"
> systemPropertyValue="false"/>
>
> HTH
>
> Thanks and Regards,
>
> *Aditya Sharma* | Enterprise Software Engineer
> HotWax Commerce <http://www.hotwax.co/> by HotWax Systems
> <http://www.hotwaxsystems.com/>
>
> <https://www.linkedin.com/in/aditya-sharma-78291810a/>
>
> On Mon, Mar 12, 2018 at 2:36 PM, Deepak Dixit <
> [hidden email]> wrote:
>
> > Hi Sonali Agrahari
> >
> > Your email has been moderated,  Please subscribe to mailing list
> > http://ofbiz.apache.org/mailing-lists.html
> >
> >
> > Could you please share which ofbiz version you are using?
> > You can configure it using  session-config config in web.xml.
> >
> >
> > Thanks & Regards
> > --
> > Deepak Dixit
> > www.hotwaxsystems.com
> > www.hotwax.co
> >
> > ---------- Forwarded message ----------
> > From: Sonali Agrahari <[hidden email]>
> > To: [hidden email]
> > Cc:
> > Bcc:
> > Date: Mon, 12 Mar 2018 01:50:52 -0700 (MST)
> > Subject: Security threats in OFbiz
> > Hello all ,
> >
> >    How we can  resolve  " Privilege Escalation using an Under-Privileged
> > User " security issue  i,e
> > After logged-in to application , URL with its external login key of that
> > web
> > page are copied to other browser, then that web page will be opened
> without
> > login and we can access whole application.
> >
> > How it can be resolved ..
> >
> > Kindly help.
> >
> >
> > Thank you
> >
> > Regards ,
> >
> > Sonali Agrahari
> >
> >
> >
> >
> >
> >
> > --
> > Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
> >
>
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: [MODERATE EMAIL] Security threats in OFbiz

Jacques Le Roux
Administrator
In reply to this post by Deepak Dixit-3
You may try Tomcat SSO https://issues.apache.org/jira/browse/OFBIZ-10047

Does not work yet in a cluster

Jacques


Le 12/03/2018 à 10:06, Deepak Dixit a écrit :

> Hi Sonali Agrahari
>
> Your email has been moderated,  Please subscribe to mailing list
> http://ofbiz.apache.org/mailing-lists.html
>
>
> Could you please share which ofbiz version you are using?
> You can configure it using  session-config config in web.xml.
>
>
> Thanks & Regards
> --
> Deepak Dixit
> www.hotwaxsystems.com
> www.hotwax.co
>
> ---------- Forwarded message ----------
> From: Sonali Agrahari <[hidden email]>
> To: [hidden email]
> Cc:
> Bcc:
> Date: Mon, 12 Mar 2018 01:50:52 -0700 (MST)
> Subject: Security threats in OFbiz
> Hello all ,
>
>     How we can  resolve  " Privilege Escalation using an Under-Privileged
> User " security issue  i,e
> After logged-in to application , URL with its external login key of that web
> page are copied to other browser, then that web page will be opened without
> login and we can access whole application.
>
> How it can be resolved ..
>
> Kindly help.
>
>
> Thank you
>
> Regards ,
>
> Sonali Agrahari
>
>
>
>
>
>
> --
> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>

Sonali Agrahari
Reply | Threaded
Open this post in threaded view
|

Re: [MODERATE EMAIL] Security threats in OFbiz

Sonali Agrahari
In reply to this post by Aditya Sharma
Issues are not resolved by adding following code in
CommonSystemPropertyData.xml file

<SystemProperty systemResourceId="security"
systemPropertyId="security.login.externalLoginKey.enabled"
systemPropertyValue="false"/>




--
Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
deepak nigam-2
Reply | Threaded
Open this post in threaded view
|

Re: [MODERATE EMAIL] Security threats in OFbiz

deepak nigam-2
Hi Sonali,

It seems you didn't load the data into the system. Please use the following
link to load the data using web-tools:

https://localhost:8443/webtools/control/EntityImport


On Tue, Mar 13, 2018 at 1:59 PM Sonali Agrahari <[hidden email]>
wrote:

> Issues are not resolved by adding following code in
> CommonSystemPropertyData.xml file
>
> <SystemProperty systemResourceId="security"
> systemPropertyId="security.login.externalLoginKey.enabled"
> systemPropertyValue="false"/>
>
>
>
>
> --
> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>
Free forum by Nabble Edit this page