OFBiz security issues.

> I've developed an application on OFBiz and found some security issues during
> testing. Here are the list :
>
> *A. Information Leakage through persistent cookies : The web application
> stores sensitive session information in a permanent cookie (on disk)*
> **
> *Impact of this issue :*
> **
> • This information may be compromised or used for identity theft or user
> impersonation.
> • The account information may be stolen and used later by a malicious user.
>
> I've checked the Set-Cookie header, and found that the session id cookie has
> a future expiration date.
> So, my question is that why OFBiz stores sensitive information in persistent
> cookies instead of non-permanent cookie(RAM cookies) only and how to fix it.
> **
> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
> Secure attribute for sensitive cookies in HTTPS sessions is not set*
> **
> *Impact:*
> **
> •  It is possible to move the ability to enforce the cookie logic to the
> client-side (the browser). This could allow an attacker to send cookies
> he/she is
>   not authorized to send.
>
> I've checked the the Set-Cookie header, and found that the "secure"
> attribute is missing.
>
> Is there any property file where I can set that "secure" attribute for the
> cookie.
>
>
> Cheers,
> Frein

> Which release.revision have you used?
>
> Jacques
>
> From: "Frein Mccain" <[hidden email]>
>
> I've developed an application on OFBiz and found some security issues
> during
> testing. Here are the list :
>
> *A. Information Leakage through persistent cookies : The web application
> stores sensitive session information in a permanent cookie (on disk)*
> **
> *Impact of this issue :*
> **
> • This information may be compromised or used for identity theft or user
> impersonation.
> • The account information may be stolen and used later by a malicious user.
>
> I've checked the Set-Cookie header, and found that the session id cookie
> has
> a future expiration date.
> So, my question is that why OFBiz stores sensitive information in
> persistent
> cookies instead of non-permanent cookie(RAM cookies) only and how to fix
> it.
> **
> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
> Secure attribute for sensitive cookies in HTTPS sessions is not set*
> **
> *Impact:*
> **
> •  It is possible to move the ability to enforce the cookie logic to the
> client-side (the browser). This could allow an attacker to send cookies
> he/she is
>  not authorized to send.
>
> I've checked the the Set-Cookie header, and found that the "secure"
> attribute is missing.
>
> Is there any property file where I can set that "secure" attribute for the
> cookie.
>
>
> Cheers,
> Frein
>
>
>

> Which release.revision have you used?
>
> Jacques
>
> From: "Frein Mccain" <[hidden email]>
>
> I've developed an application on OFBiz and found some security issues
> during
> testing. Here are the list :
>
> *A. Information Leakage through persistent cookies : The web application
> stores sensitive session information in a permanent cookie (on disk)*
> **
> *Impact of this issue :*
> **
> • This information may be compromised or used for identity theft or user
> impersonation.
> • The account information may be stolen and used later by a malicious user.
>
> I've checked the Set-Cookie header, and found that the session id cookie
> has
> a future expiration date.
> So, my question is that why OFBiz stores sensitive information in
> persistent
> cookies instead of non-permanent cookie(RAM cookies) only and how to fix
> it.
> **
> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
> Secure attribute for sensitive cookies in HTTPS sessions is not set*
> **
> *Impact:*
> **
> •  It is possible to move the ability to enforce the cookie logic to the
> client-side (the browser). This could allow an attacker to send cookies
> he/she is
>  not authorized to send.
>
> I've checked the the Set-Cookie header, and found that the "secure"
> attribute is missing.
>
> Is there any property file where I can set that "secure" attribute for the
> cookie.
>
>
> Cheers,
> Frein
>
>
>

>  Hi Frein,
>
> Please use rather the user ML for such questions. There have been a large
> effort regarding security issues, refer to
> https://issues.apache.org/jira/browse/OFBIZ-1525
>
> Jacques
>
> ----- Original Message -----
> *From:* Frein Mccain <[hidden email]>
> *To:* Jacques Le Roux <[hidden email]>
> *Sent:* Thursday, December 09, 2010 2:54 PM
> *Subject:* Re: OFBiz security issues.
>
> Jacques,
>
> I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I am
> facing the same issue because I am using old code base.
> In this post you've post the commented that "this issue has been Fixed by
> recent security efforts", what does it mean ?
>
> I tried to search for patch for the fix so that I can make changes in my
> code...can you please help on this?
>
> On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux <
> [hidden email]> wrote:
>
>> Frein,
>>
>> Did you check David's suggestion?
>>
>>
>> Jacques
>>
>> From: "Frein Mccain" <[hidden email]>
>> Jacques,
>>
>> I am using 9.04 release.
>>
>> On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux <
>> [hidden email]> wrote:
>>
>> Which release.revision have you used?
>>>
>>> Jacques
>>>
>>> From: "Frein Mccain" <[hidden email]>
>>>
>>> I've developed an application on OFBiz and found some security issues
>>> during
>>> testing. Here are the list :
>>>
>>> *A. Information Leakage through persistent cookies : The web application
>>> stores sensitive session information in a permanent cookie (on disk)*
>>> **
>>> *Impact of this issue :*
>>> **
>>> • This information may be compromised or used for identity theft or user
>>> impersonation.
>>> • The account information may be stolen and used later by a malicious
>>> user.
>>>
>>> I've checked the Set-Cookie header, and found that the session id cookie
>>> has
>>> a future expiration date.
>>> So, my question is that why OFBiz stores sensitive information in
>>> persistent
>>> cookies instead of non-permanent cookie(RAM cookies) only and how to fix
>>> it.
>>> **
>>> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
>>> Secure attribute for sensitive cookies in HTTPS sessions is not set*
>>> **
>>> *Impact:*
>>> **
>>> •  It is possible to move the ability to enforce the cookie logic to the
>>> client-side (the browser). This could allow an attacker to send cookies
>>> he/she is
>>>  not authorized to send.
>>>
>>> I've checked the the Set-Cookie header, and found that the "secure"
>>> attribute is missing.
>>>
>>> Is there any property file where I can set that "secure" attribute for
>>> the
>>> cookie.
>>>
>>>
>>> Cheers,
>>> Frein
>>>
>>>
>>>
>>>
>>
>>
>

>  Hi Frein,
>
> Please use rather the user ML for such questions. There have been a large
> effort regarding security issues, refer to
> https://issues.apache.org/jira/browse/OFBIZ-1525
>
> Jacques
>
> ----- Original Message -----
> *From:* Frein Mccain <[hidden email]>
> *To:* Jacques Le Roux <[hidden email]>
> *Sent:* Thursday, December 09, 2010 2:54 PM
> *Subject:* Re: OFBiz security issues.
>
> Jacques,
>
> I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I am
> facing the same issue because I am using old code base.
> In this post you've post the commented that "this issue has been Fixed by
> recent security efforts", what does it mean ?
>
> I tried to search for patch for the fix so that I can make changes in my
> code...can you please help on this?
>
> On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux <
> [hidden email]> wrote:
>
>> Frein,
>>
>> Did you check David's suggestion?
>>
>>
>> Jacques
>>
>> From: "Frein Mccain" <[hidden email]>
>> Jacques,
>>
>> I am using 9.04 release.
>>
>> On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux <
>> [hidden email]> wrote:
>>
>> Which release.revision have you used?
>>>
>>> Jacques
>>>
>>> From: "Frein Mccain" <[hidden email]>
>>>
>>> I've developed an application on OFBiz and found some security issues
>>> during
>>> testing. Here are the list :
>>>
>>> *A. Information Leakage through persistent cookies : The web application
>>> stores sensitive session information in a permanent cookie (on disk)*
>>> **
>>> *Impact of this issue :*
>>> **
>>> * This information may be compromised or used for identity theft or user
>>> impersonation.
>>> * The account information may be stolen and used later by a malicious
>>> user.
>>>
>>> I've checked the Set-Cookie header, and found that the session id cookie
>>> has
>>> a future expiration date.
>>> So, my question is that why OFBiz stores sensitive information in
>>> persistent
>>> cookies instead of non-permanent cookie(RAM cookies) only and how to fix
>>> it.
>>> **
>>> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
>>> Secure attribute for sensitive cookies in HTTPS sessions is not set*
>>> **
>>> *Impact:*
>>> **
>>> *  It is possible to move the ability to enforce the cookie logic to the
>>> client-side (the browser). This could allow an attacker to send cookies
>>> he/she is
>>>  not authorized to send.
>>>
>>> I've checked the the Set-Cookie header, and found that the "secure"
>>> attribute is missing.
>>>
>>> Is there any property file where I can set that "secure" attribute for
>>> the
>>> cookie.
>>>
>>>
>>> Cheers,
>>> Frein
>>>
>>>
>>>
>>>
>>
>>
>

> Frein,
>
> Refer this link
> http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.phpfor cross site scripting solution.
>
>
>
> -----Original Message-----
> From: Frein Mccain [mailto:[hidden email]]
> Sent: Monday, December 13, 2010 7:14 PM
> To: [hidden email]
> Subject: Re: OFBiz security issues.
>
> My system is up and running with old code base of OFBiz and I am facing
> Cross-Site-Scripting security issue. I've referred the issue
> https://issues.apache.org/jira/browse/OFBIZ-1525 but not able to get the
> fix
> for the issue.
>
> Can anybody tell is this issue fixed in latest code, if yes than can you
> share some patch or commit version so that I can make changes in my code to
> fix fit.
>
> @ David : I've checked the browser cookie and found that the session id
> cookie has a future expiration date and there is no secure attribute.
>
> And I am using embedded Tomcat server only. Do you have any idea about
> cookie setting ?
>
>
>
> On Thu, Dec 9, 2010 at 9:39 PM, Jacques Le Roux <
> [hidden email]> wrote:
>
> >  Hi Frein,
> >
> > Please use rather the user ML for such questions. There have been a large
> > effort regarding security issues, refer to
> > https://issues.apache.org/jira/browse/OFBIZ-1525
> >
> > Jacques
> >
> > ----- Original Message -----
> > *From:* Frein Mccain <[hidden email]>
> > *To:* Jacques Le Roux <[hidden email]>
> > *Sent:* Thursday, December 09, 2010 2:54 PM
> > *Subject:* Re: OFBiz security issues.
> >
> > Jacques,
> >
> > I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I
> am
> > facing the same issue because I am using old code base.
> > In this post you've post the commented that "this issue has been Fixed by
> > recent security efforts", what does it mean ?
> >
> > I tried to search for patch for the fix so that I can make changes in my
> > code...can you please help on this?
> >
> > On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux <
> > [hidden email]> wrote:
> >
> >> Frein,
> >>
> >> Did you check David's suggestion?
> >>
> >>
> >> Jacques
> >>
> >> From: "Frein Mccain" <[hidden email]>
> >> Jacques,
> >>
> >> I am using 9.04 release.
> >>
> >> On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux <
> >> [hidden email]> wrote:
> >>
> >> Which release.revision have you used?
> >>>
> >>> Jacques
> >>>
> >>> From: "Frein Mccain" <[hidden email]>
> >>>
> >>> I've developed an application on OFBiz and found some security issues
> >>> during
> >>> testing. Here are the list :
> >>>
> >>> *A. Information Leakage through persistent cookies : The web
> application
> >>> stores sensitive session information in a permanent cookie (on disk)*
> >>> **
> >>> *Impact of this issue :*
> >>> **
> >>> * This information may be compromised or used for identity theft or
> user
> >>> impersonation.
> >>> * The account information may be stolen and used later by a malicious
> >>> user.
> >>>
> >>> I've checked the Set-Cookie header, and found that the session id
> cookie
> >>> has
> >>> a future expiration date.
> >>> So, my question is that why OFBiz stores sensitive information in
> >>> persistent
> >>> cookies instead of non-permanent cookie(RAM cookies) only and how to
> fix
> >>> it.
> >>> **
> >>> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
> >>> Secure attribute for sensitive cookies in HTTPS sessions is not set*
> >>> **
> >>> *Impact:*
> >>> **
> >>> *  It is possible to move the ability to enforce the cookie logic to
> the
> >>> client-side (the browser). This could allow an attacker to send cookies
> >>> he/she is
> >>>  not authorized to send.
> >>>
> >>> I've checked the the Set-Cookie header, and found that the "secure"
> >>> attribute is missing.
> >>>
> >>> Is there any property file where I can set that "secure" attribute for
> >>> the
> >>> cookie.
> >>>
> >>>
> >>> Cheers,
> >>> Frein
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >
>
> ______________________________________________________________________
>
> The contents of this e-mail and any attachment(s) may contain confidential
> or privileged information for the intended recipient(s). Unintended
> recipients are prohibited from taking action on the basis of information in
> this e-mail and  using or disseminating the information,  and must notify
> the sender and delete it from their system. L&T Infotech will not accept
> responsibility or liability for the accuracy or completeness of, or the
> presence of any virus or disabling code in this e-mail"
>
> ______________________________________________________________________
>