I've developed an application on OFBiz and found some security issues during
testing. Here are the list : *A. Information Leakage through persistent cookies : The web application stores sensitive session information in a permanent cookie (on disk)* ** *Impact of this issue :* ** • This information may be compromised or used for identity theft or user impersonation. • The account information may be stolen and used later by a malicious user. I've checked the Set-Cookie header, and found that the session id cookie has a future expiration date. So, my question is that why OFBiz stores sensitive information in persistent cookies instead of non-permanent cookie(RAM cookies) only and how to fix it. ** *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The Secure attribute for sensitive cookies in HTTPS sessions is not set* ** *Impact:* ** • It is possible to move the ability to enforce the cookie logic to the client-side (the browser). This could allow an attacker to send cookies he/she is not authorized to send. I've checked the the Set-Cookie header, and found that the "secure" attribute is missing. Is there any property file where I can set that "secure" attribute for the cookie. Cheers, Frein |
Administrator
|
Which release.revision have you used?
Jacques From: "Frein Mccain" <[hidden email]> I've developed an application on OFBiz and found some security issues during testing. Here are the list : *A. Information Leakage through persistent cookies : The web application stores sensitive session information in a permanent cookie (on disk)* ** *Impact of this issue :* ** • This information may be compromised or used for identity theft or user impersonation. • The account information may be stolen and used later by a malicious user. I've checked the Set-Cookie header, and found that the session id cookie has a future expiration date. So, my question is that why OFBiz stores sensitive information in persistent cookies instead of non-permanent cookie(RAM cookies) only and how to fix it. ** *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The Secure attribute for sensitive cookies in HTTPS sessions is not set* ** *Impact:* ** • It is possible to move the ability to enforce the cookie logic to the client-side (the browser). This could allow an attacker to send cookies he/she is not authorized to send. I've checked the the Set-Cookie header, and found that the "secure" attribute is missing. Is there any property file where I can set that "secure" attribute for the cookie. Cheers, Frein |
In reply to this post by frein.mccain
Which cookie(s) are you looking at that caused these alarms? This may or may not be OFBiz related. For example Tomcat (or whatever servlet container you are using) manages the session cookies. -David On Dec 6, 2010, at 8:41 AM, Frein Mccain wrote: > I've developed an application on OFBiz and found some security issues during > testing. Here are the list : > > *A. Information Leakage through persistent cookies : The web application > stores sensitive session information in a permanent cookie (on disk)* > ** > *Impact of this issue :* > ** > • This information may be compromised or used for identity theft or user > impersonation. > • The account information may be stolen and used later by a malicious user. > > I've checked the Set-Cookie header, and found that the session id cookie has > a future expiration date. > So, my question is that why OFBiz stores sensitive information in persistent > cookies instead of non-permanent cookie(RAM cookies) only and how to fix it. > ** > *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The > Secure attribute for sensitive cookies in HTTPS sessions is not set* > ** > *Impact:* > ** > • It is possible to move the ability to enforce the cookie logic to the > client-side (the browser). This could allow an attacker to send cookies > he/she is > not authorized to send. > > I've checked the the Set-Cookie header, and found that the "secure" > attribute is missing. > > Is there any property file where I can set that "secure" attribute for the > cookie. > > > Cheers, > Frein |
In reply to this post by Jacques Le Roux
Jacques,
I am using 9.04 release. On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux < [hidden email]> wrote: > Which release.revision have you used? > > Jacques > > From: "Frein Mccain" <[hidden email]> > > I've developed an application on OFBiz and found some security issues > during > testing. Here are the list : > > *A. Information Leakage through persistent cookies : The web application > stores sensitive session information in a permanent cookie (on disk)* > ** > *Impact of this issue :* > ** > • This information may be compromised or used for identity theft or user > impersonation. > • The account information may be stolen and used later by a malicious user. > > I've checked the Set-Cookie header, and found that the session id cookie > has > a future expiration date. > So, my question is that why OFBiz stores sensitive information in > persistent > cookies instead of non-permanent cookie(RAM cookies) only and how to fix > it. > ** > *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The > Secure attribute for sensitive cookies in HTTPS sessions is not set* > ** > *Impact:* > ** > • It is possible to move the ability to enforce the cookie logic to the > client-side (the browser). This could allow an attacker to send cookies > he/she is > not authorized to send. > > I've checked the the Set-Cookie header, and found that the "secure" > attribute is missing. > > Is there any property file where I can set that "secure" attribute for the > cookie. > > > Cheers, > Frein > > > |
Administrator
|
Frein,
Did you check David's suggestion? Jacques From: "Frein Mccain" <[hidden email]> Jacques, I am using 9.04 release. On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux < [hidden email]> wrote: > Which release.revision have you used? > > Jacques > > From: "Frein Mccain" <[hidden email]> > > I've developed an application on OFBiz and found some security issues > during > testing. Here are the list : > > *A. Information Leakage through persistent cookies : The web application > stores sensitive session information in a permanent cookie (on disk)* > ** > *Impact of this issue :* > ** > • This information may be compromised or used for identity theft or user > impersonation. > • The account information may be stolen and used later by a malicious user. > > I've checked the Set-Cookie header, and found that the session id cookie > has > a future expiration date. > So, my question is that why OFBiz stores sensitive information in > persistent > cookies instead of non-permanent cookie(RAM cookies) only and how to fix > it. > ** > *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The > Secure attribute for sensitive cookies in HTTPS sessions is not set* > ** > *Impact:* > ** > • It is possible to move the ability to enforce the cookie logic to the > client-side (the browser). This could allow an attacker to send cookies > he/she is > not authorized to send. > > I've checked the the Set-Cookie header, and found that the "secure" > attribute is missing. > > Is there any property file where I can set that "secure" attribute for the > cookie. > > > Cheers, > Frein > > > |
Administrator
|
Hi Frein,
Please use rather the user ML for such questions. There have been a large effort regarding security issues, refer to https://issues.apache.org/jira/browse/OFBIZ-1525 Jacques ----- Original Message ----- From: Frein Mccain To: Jacques Le Roux Sent: Thursday, December 09, 2010 2:54 PM Subject: Re: OFBiz security issues. Jacques, I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I am facing the same issue because I am using old code base. In this post you've post the commented that "this issue has been Fixed by recent security efforts", what does it mean ? I tried to search for patch for the fix so that I can make changes in my code...can you please help on this? On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux <[hidden email]> wrote: Frein, Did you check David's suggestion? Jacques From: "Frein Mccain" <[hidden email]> Jacques, I am using 9.04 release. On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux < [hidden email]> wrote: Which release.revision have you used? Jacques From: "Frein Mccain" <[hidden email]> I've developed an application on OFBiz and found some security issues during testing. Here are the list : *A. Information Leakage through persistent cookies : The web application stores sensitive session information in a permanent cookie (on disk)* ** *Impact of this issue :* ** • This information may be compromised or used for identity theft or user impersonation. • The account information may be stolen and used later by a malicious user. I've checked the Set-Cookie header, and found that the session id cookie has a future expiration date. So, my question is that why OFBiz stores sensitive information in persistent cookies instead of non-permanent cookie(RAM cookies) only and how to fix it. ** *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The Secure attribute for sensitive cookies in HTTPS sessions is not set* ** *Impact:* ** • It is possible to move the ability to enforce the cookie logic to the client-side (the browser). This could allow an attacker to send cookies he/she is not authorized to send. I've checked the the Set-Cookie header, and found that the "secure" attribute is missing. Is there any property file where I can set that "secure" attribute for the cookie. Cheers, Frein |
My system is up and running with old code base of OFBiz and I am facing
Cross-Site-Scripting security issue. I've referred the issue https://issues.apache.org/jira/browse/OFBIZ-1525 but not able to get the fix for the issue. Can anybody tell is this issue fixed in latest code, if yes than can you share some patch or commit version so that I can make changes in my code to fix fit. @ David : I've checked the browser cookie and found that the session id cookie has a future expiration date and there is no secure attribute. And I am using embedded Tomcat server only. Do you have any idea about cookie setting ? On Thu, Dec 9, 2010 at 9:39 PM, Jacques Le Roux < [hidden email]> wrote: > Hi Frein, > > Please use rather the user ML for such questions. There have been a large > effort regarding security issues, refer to > https://issues.apache.org/jira/browse/OFBIZ-1525 > > Jacques > > ----- Original Message ----- > *From:* Frein Mccain <[hidden email]> > *To:* Jacques Le Roux <[hidden email]> > *Sent:* Thursday, December 09, 2010 2:54 PM > *Subject:* Re: OFBiz security issues. > > Jacques, > > I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I am > facing the same issue because I am using old code base. > In this post you've post the commented that "this issue has been Fixed by > recent security efforts", what does it mean ? > > I tried to search for patch for the fix so that I can make changes in my > code...can you please help on this? > > On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux < > [hidden email]> wrote: > >> Frein, >> >> Did you check David's suggestion? >> >> >> Jacques >> >> From: "Frein Mccain" <[hidden email]> >> Jacques, >> >> I am using 9.04 release. >> >> On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux < >> [hidden email]> wrote: >> >> Which release.revision have you used? >>> >>> Jacques >>> >>> From: "Frein Mccain" <[hidden email]> >>> >>> I've developed an application on OFBiz and found some security issues >>> during >>> testing. Here are the list : >>> >>> *A. Information Leakage through persistent cookies : The web application >>> stores sensitive session information in a permanent cookie (on disk)* >>> ** >>> *Impact of this issue :* >>> ** >>> • This information may be compromised or used for identity theft or user >>> impersonation. >>> • The account information may be stolen and used later by a malicious >>> user. >>> >>> I've checked the Set-Cookie header, and found that the session id cookie >>> has >>> a future expiration date. >>> So, my question is that why OFBiz stores sensitive information in >>> persistent >>> cookies instead of non-permanent cookie(RAM cookies) only and how to fix >>> it. >>> ** >>> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The >>> Secure attribute for sensitive cookies in HTTPS sessions is not set* >>> ** >>> *Impact:* >>> ** >>> • It is possible to move the ability to enforce the cookie logic to the >>> client-side (the browser). This could allow an attacker to send cookies >>> he/she is >>> not authorized to send. >>> >>> I've checked the the Set-Cookie header, and found that the "secure" >>> attribute is missing. >>> >>> Is there any property file where I can set that "secure" attribute for >>> the >>> cookie. >>> >>> >>> Cheers, >>> Frein >>> >>> >>> >>> >> >> > |
Frein,
Refer this link http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php for cross site scripting solution. -----Original Message----- From: Frein Mccain [mailto:[hidden email]] Sent: Monday, December 13, 2010 7:14 PM To: [hidden email] Subject: Re: OFBiz security issues. My system is up and running with old code base of OFBiz and I am facing Cross-Site-Scripting security issue. I've referred the issue https://issues.apache.org/jira/browse/OFBIZ-1525 but not able to get the fix for the issue. Can anybody tell is this issue fixed in latest code, if yes than can you share some patch or commit version so that I can make changes in my code to fix fit. @ David : I've checked the browser cookie and found that the session id cookie has a future expiration date and there is no secure attribute. And I am using embedded Tomcat server only. Do you have any idea about cookie setting ? On Thu, Dec 9, 2010 at 9:39 PM, Jacques Le Roux < [hidden email]> wrote: > Hi Frein, > > Please use rather the user ML for such questions. There have been a large > effort regarding security issues, refer to > https://issues.apache.org/jira/browse/OFBIZ-1525 > > Jacques > > ----- Original Message ----- > *From:* Frein Mccain <[hidden email]> > *To:* Jacques Le Roux <[hidden email]> > *Sent:* Thursday, December 09, 2010 2:54 PM > *Subject:* Re: OFBiz security issues. > > Jacques, > > I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I am > facing the same issue because I am using old code base. > In this post you've post the commented that "this issue has been Fixed by > recent security efforts", what does it mean ? > > I tried to search for patch for the fix so that I can make changes in my > code...can you please help on this? > > On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux < > [hidden email]> wrote: > >> Frein, >> >> Did you check David's suggestion? >> >> >> Jacques >> >> From: "Frein Mccain" <[hidden email]> >> Jacques, >> >> I am using 9.04 release. >> >> On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux < >> [hidden email]> wrote: >> >> Which release.revision have you used? >>> >>> Jacques >>> >>> From: "Frein Mccain" <[hidden email]> >>> >>> I've developed an application on OFBiz and found some security issues >>> during >>> testing. Here are the list : >>> >>> *A. Information Leakage through persistent cookies : The web application >>> stores sensitive session information in a permanent cookie (on disk)* >>> ** >>> *Impact of this issue :* >>> ** >>> * This information may be compromised or used for identity theft or user >>> impersonation. >>> * The account information may be stolen and used later by a malicious >>> user. >>> >>> I've checked the Set-Cookie header, and found that the session id cookie >>> has >>> a future expiration date. >>> So, my question is that why OFBiz stores sensitive information in >>> persistent >>> cookies instead of non-permanent cookie(RAM cookies) only and how to fix >>> it. >>> ** >>> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The >>> Secure attribute for sensitive cookies in HTTPS sessions is not set* >>> ** >>> *Impact:* >>> ** >>> * It is possible to move the ability to enforce the cookie logic to the >>> client-side (the browser). This could allow an attacker to send cookies >>> he/she is >>> not authorized to send. >>> >>> I've checked the the Set-Cookie header, and found that the "secure" >>> attribute is missing. >>> >>> Is there any property file where I can set that "secure" attribute for >>> the >>> cookie. >>> >>> >>> Cheers, >>> Frein >>> >>> >>> >>> >> >> > ______________________________________________________________________ The contents of this e-mail and any attachment(s) may contain confidential or privileged information for the intended recipient(s). Unintended recipients are prohibited from taking action on the basis of information in this e-mail and using or disseminating the information, and must notify the sender and delete it from their system. L&T Infotech will not accept responsibility or liability for the accuracy or completeness of, or the presence of any virus or disabling code in this e-mail" ______________________________________________________________________ |
Thanks Anil !!!
On Thu, Dec 16, 2010 at 12:29 PM, Anil Soni <[hidden email]>wrote: > Frein, > > Refer this link > http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.phpfor cross site scripting solution. > > > > -----Original Message----- > From: Frein Mccain [mailto:[hidden email]] > Sent: Monday, December 13, 2010 7:14 PM > To: [hidden email] > Subject: Re: OFBiz security issues. > > My system is up and running with old code base of OFBiz and I am facing > Cross-Site-Scripting security issue. I've referred the issue > https://issues.apache.org/jira/browse/OFBIZ-1525 but not able to get the > fix > for the issue. > > Can anybody tell is this issue fixed in latest code, if yes than can you > share some patch or commit version so that I can make changes in my code to > fix fit. > > @ David : I've checked the browser cookie and found that the session id > cookie has a future expiration date and there is no secure attribute. > > And I am using embedded Tomcat server only. Do you have any idea about > cookie setting ? > > > > On Thu, Dec 9, 2010 at 9:39 PM, Jacques Le Roux < > [hidden email]> wrote: > > > Hi Frein, > > > > Please use rather the user ML for such questions. There have been a large > > effort regarding security issues, refer to > > https://issues.apache.org/jira/browse/OFBIZ-1525 > > > > Jacques > > > > ----- Original Message ----- > > *From:* Frein Mccain <[hidden email]> > > *To:* Jacques Le Roux <[hidden email]> > > *Sent:* Thursday, December 09, 2010 2:54 PM > > *Subject:* Re: OFBiz security issues. > > > > Jacques, > > > > I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I > am > > facing the same issue because I am using old code base. > > In this post you've post the commented that "this issue has been Fixed by > > recent security efforts", what does it mean ? > > > > I tried to search for patch for the fix so that I can make changes in my > > code...can you please help on this? > > > > On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux < > > [hidden email]> wrote: > > > >> Frein, > >> > >> Did you check David's suggestion? > >> > >> > >> Jacques > >> > >> From: "Frein Mccain" <[hidden email]> > >> Jacques, > >> > >> I am using 9.04 release. > >> > >> On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux < > >> [hidden email]> wrote: > >> > >> Which release.revision have you used? > >>> > >>> Jacques > >>> > >>> From: "Frein Mccain" <[hidden email]> > >>> > >>> I've developed an application on OFBiz and found some security issues > >>> during > >>> testing. Here are the list : > >>> > >>> *A. Information Leakage through persistent cookies : The web > application > >>> stores sensitive session information in a permanent cookie (on disk)* > >>> ** > >>> *Impact of this issue :* > >>> ** > >>> * This information may be compromised or used for identity theft or > user > >>> impersonation. > >>> * The account information may be stolen and used later by a malicious > >>> user. > >>> > >>> I've checked the Set-Cookie header, and found that the session id > cookie > >>> has > >>> a future expiration date. > >>> So, my question is that why OFBiz stores sensitive information in > >>> persistent > >>> cookies instead of non-permanent cookie(RAM cookies) only and how to > fix > >>> it. > >>> ** > >>> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The > >>> Secure attribute for sensitive cookies in HTTPS sessions is not set* > >>> ** > >>> *Impact:* > >>> ** > >>> * It is possible to move the ability to enforce the cookie logic to > the > >>> client-side (the browser). This could allow an attacker to send cookies > >>> he/she is > >>> not authorized to send. > >>> > >>> I've checked the the Set-Cookie header, and found that the "secure" > >>> attribute is missing. > >>> > >>> Is there any property file where I can set that "secure" attribute for > >>> the > >>> cookie. > >>> > >>> > >>> Cheers, > >>> Frein > >>> > >>> > >>> > >>> > >> > >> > > > > ______________________________________________________________________ > > The contents of this e-mail and any attachment(s) may contain confidential > or privileged information for the intended recipient(s). Unintended > recipients are prohibited from taking action on the basis of information in > this e-mail and using or disseminating the information, and must notify > the sender and delete it from their system. L&T Infotech will not accept > responsibility or liability for the accuracy or completeness of, or the > presence of any virus or disabling code in this e-mail" > > ______________________________________________________________________ > |
Free forum by Nabble | Edit this page |