OFBiz security issues.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

OFBiz security issues.

frein.mccain
I've developed an application on OFBiz and found some security issues during
testing. Here are the list :

*A. Information Leakage through persistent cookies : The web application
stores sensitive session information in a permanent cookie (on disk)*
**
*Impact of this issue :*
**
• This information may be compromised or used for identity theft or user
impersonation.
• The account information may be stolen and used later by a malicious user.

I've checked the Set-Cookie header, and found that the session id cookie has
a future expiration date.
So, my question is that why OFBiz stores sensitive information in persistent
cookies instead of non-permanent cookie(RAM cookies) only and how to fix it.
**
*B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
Secure attribute for sensitive cookies in HTTPS sessions is not set*
**
*Impact:*
**
•  It is possible to move the ability to enforce the cookie logic to the
client-side (the browser). This could allow an attacker to send cookies
he/she is
   not authorized to send.

I've checked the the Set-Cookie header, and found that the "secure"
attribute is missing.

Is there any property file where I can set that "secure" attribute for the
cookie.


Cheers,
Frein
Reply | Threaded
Open this post in threaded view
|

Re: OFBiz security issues.

Jacques Le Roux
Administrator
Which release.revision have you used?

Jacques

From: "Frein Mccain" <[hidden email]>
I've developed an application on OFBiz and found some security issues during
testing. Here are the list :

*A. Information Leakage through persistent cookies : The web application
stores sensitive session information in a permanent cookie (on disk)*
**
*Impact of this issue :*
**
• This information may be compromised or used for identity theft or user
impersonation.
• The account information may be stolen and used later by a malicious user.

I've checked the Set-Cookie header, and found that the session id cookie has
a future expiration date.
So, my question is that why OFBiz stores sensitive information in persistent
cookies instead of non-permanent cookie(RAM cookies) only and how to fix it.
**
*B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
Secure attribute for sensitive cookies in HTTPS sessions is not set*
**
*Impact:*
**
•  It is possible to move the ability to enforce the cookie logic to the
client-side (the browser). This could allow an attacker to send cookies
he/she is
   not authorized to send.

I've checked the the Set-Cookie header, and found that the "secure"
attribute is missing.

Is there any property file where I can set that "secure" attribute for the
cookie.


Cheers,
Frein


Reply | Threaded
Open this post in threaded view
|

Re: OFBiz security issues.

David E. Jones-2
In reply to this post by frein.mccain

Which cookie(s) are you looking at that caused these alarms?

This may or may not be OFBiz related. For example Tomcat (or whatever servlet container you are using) manages the session cookies.

-David


On Dec 6, 2010, at 8:41 AM, Frein Mccain wrote:

> I've developed an application on OFBiz and found some security issues during
> testing. Here are the list :
>
> *A. Information Leakage through persistent cookies : The web application
> stores sensitive session information in a permanent cookie (on disk)*
> **
> *Impact of this issue :*
> **
> • This information may be compromised or used for identity theft or user
> impersonation.
> • The account information may be stolen and used later by a malicious user.
>
> I've checked the Set-Cookie header, and found that the session id cookie has
> a future expiration date.
> So, my question is that why OFBiz stores sensitive information in persistent
> cookies instead of non-permanent cookie(RAM cookies) only and how to fix it.
> **
> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
> Secure attribute for sensitive cookies in HTTPS sessions is not set*
> **
> *Impact:*
> **
> •  It is possible to move the ability to enforce the cookie logic to the
> client-side (the browser). This could allow an attacker to send cookies
> he/she is
>   not authorized to send.
>
> I've checked the the Set-Cookie header, and found that the "secure"
> attribute is missing.
>
> Is there any property file where I can set that "secure" attribute for the
> cookie.
>
>
> Cheers,
> Frein

Reply | Threaded
Open this post in threaded view
|

Re: OFBiz security issues.

frein.mccain
In reply to this post by Jacques Le Roux
Jacques,

I am using 9.04 release.

On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux <
[hidden email]> wrote:

> Which release.revision have you used?
>
> Jacques
>
> From: "Frein Mccain" <[hidden email]>
>
> I've developed an application on OFBiz and found some security issues
> during
> testing. Here are the list :
>
> *A. Information Leakage through persistent cookies : The web application
> stores sensitive session information in a permanent cookie (on disk)*
> **
> *Impact of this issue :*
> **
> • This information may be compromised or used for identity theft or user
> impersonation.
> • The account information may be stolen and used later by a malicious user.
>
> I've checked the Set-Cookie header, and found that the session id cookie
> has
> a future expiration date.
> So, my question is that why OFBiz stores sensitive information in
> persistent
> cookies instead of non-permanent cookie(RAM cookies) only and how to fix
> it.
> **
> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
> Secure attribute for sensitive cookies in HTTPS sessions is not set*
> **
> *Impact:*
> **
> •  It is possible to move the ability to enforce the cookie logic to the
> client-side (the browser). This could allow an attacker to send cookies
> he/she is
>  not authorized to send.
>
> I've checked the the Set-Cookie header, and found that the "secure"
> attribute is missing.
>
> Is there any property file where I can set that "secure" attribute for the
> cookie.
>
>
> Cheers,
> Frein
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: OFBiz security issues.

Jacques Le Roux
Administrator
Frein,

Did you check David's suggestion?

Jacques

From: "Frein Mccain" <[hidden email]>
Jacques,

I am using 9.04 release.

On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux <
[hidden email]> wrote:

> Which release.revision have you used?
>
> Jacques
>
> From: "Frein Mccain" <[hidden email]>
>
> I've developed an application on OFBiz and found some security issues
> during
> testing. Here are the list :
>
> *A. Information Leakage through persistent cookies : The web application
> stores sensitive session information in a permanent cookie (on disk)*
> **
> *Impact of this issue :*
> **
> • This information may be compromised or used for identity theft or user
> impersonation.
> • The account information may be stolen and used later by a malicious user.
>
> I've checked the Set-Cookie header, and found that the session id cookie
> has
> a future expiration date.
> So, my question is that why OFBiz stores sensitive information in
> persistent
> cookies instead of non-permanent cookie(RAM cookies) only and how to fix
> it.
> **
> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
> Secure attribute for sensitive cookies in HTTPS sessions is not set*
> **
> *Impact:*
> **
> •  It is possible to move the ability to enforce the cookie logic to the
> client-side (the browser). This could allow an attacker to send cookies
> he/she is
>  not authorized to send.
>
> I've checked the the Set-Cookie header, and found that the "secure"
> attribute is missing.
>
> Is there any property file where I can set that "secure" attribute for the
> cookie.
>
>
> Cheers,
> Frein
>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: OFBiz security issues.

Jacques Le Roux
Administrator
Hi Frein,

Please use rather the user ML for such questions. There have been a large effort regarding security issues, refer to https://issues.apache.org/jira/browse/OFBIZ-1525

Jacques
  ----- Original Message -----
  From: Frein Mccain
  To: Jacques Le Roux
  Sent: Thursday, December 09, 2010 2:54 PM
  Subject: Re: OFBiz security issues.


  Jacques,


  I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I am facing the same issue because I am using old code base.
  In this post you've post the commented that "this issue has been Fixed by recent security efforts", what does it mean ?


  I tried to search for patch for the fix so that I can make changes in my code...can you please help on this?


  On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux <[hidden email]> wrote:

    Frein,

    Did you check David's suggestion?


    Jacques

    From: "Frein Mccain" <[hidden email]>
    Jacques,

    I am using 9.04 release.

    On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux <
    [hidden email]> wrote:


      Which release.revision have you used?

      Jacques

      From: "Frein Mccain" <[hidden email]>

      I've developed an application on OFBiz and found some security issues
      during
      testing. Here are the list :

      *A. Information Leakage through persistent cookies : The web application
      stores sensitive session information in a permanent cookie (on disk)*
      **
      *Impact of this issue :*
      **
      • This information may be compromised or used for identity theft or user
      impersonation.
      • The account information may be stolen and used later by a malicious user.

      I've checked the Set-Cookie header, and found that the session id cookie
      has
      a future expiration date.
      So, my question is that why OFBiz stores sensitive information in
      persistent
      cookies instead of non-permanent cookie(RAM cookies) only and how to fix
      it.
      **
      *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
      Secure attribute for sensitive cookies in HTTPS sessions is not set*
      **
      *Impact:*
      **
      •  It is possible to move the ability to enforce the cookie logic to the
      client-side (the browser). This could allow an attacker to send cookies
      he/she is
       not authorized to send.

      I've checked the the Set-Cookie header, and found that the "secure"
      attribute is missing.

      Is there any property file where I can set that "secure" attribute for the
      cookie.


      Cheers,
      Frein








Reply | Threaded
Open this post in threaded view
|

Re: OFBiz security issues.

frein.mccain
My system is up and running with old code base of OFBiz and I am facing
Cross-Site-Scripting security issue. I've referred the issue
https://issues.apache.org/jira/browse/OFBIZ-1525 but not able to get the fix
for the issue.

Can anybody tell is this issue fixed in latest code, if yes than can you
share some patch or commit version so that I can make changes in my code to
fix fit.

@ David : I've checked the browser cookie and found that the session id
cookie has a future expiration date and there is no secure attribute.

And I am using embedded Tomcat server only. Do you have any idea about
cookie setting ?



On Thu, Dec 9, 2010 at 9:39 PM, Jacques Le Roux <
[hidden email]> wrote:

>  Hi Frein,
>
> Please use rather the user ML for such questions. There have been a large
> effort regarding security issues, refer to
> https://issues.apache.org/jira/browse/OFBIZ-1525
>
> Jacques
>
> ----- Original Message -----
> *From:* Frein Mccain <[hidden email]>
> *To:* Jacques Le Roux <[hidden email]>
> *Sent:* Thursday, December 09, 2010 2:54 PM
> *Subject:* Re: OFBiz security issues.
>
> Jacques,
>
> I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I am
> facing the same issue because I am using old code base.
> In this post you've post the commented that "this issue has been Fixed by
> recent security efforts", what does it mean ?
>
> I tried to search for patch for the fix so that I can make changes in my
> code...can you please help on this?
>
> On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux <
> [hidden email]> wrote:
>
>> Frein,
>>
>> Did you check David's suggestion?
>>
>>
>> Jacques
>>
>> From: "Frein Mccain" <[hidden email]>
>> Jacques,
>>
>> I am using 9.04 release.
>>
>> On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux <
>> [hidden email]> wrote:
>>
>> Which release.revision have you used?
>>>
>>> Jacques
>>>
>>> From: "Frein Mccain" <[hidden email]>
>>>
>>> I've developed an application on OFBiz and found some security issues
>>> during
>>> testing. Here are the list :
>>>
>>> *A. Information Leakage through persistent cookies : The web application
>>> stores sensitive session information in a permanent cookie (on disk)*
>>> **
>>> *Impact of this issue :*
>>> **
>>> • This information may be compromised or used for identity theft or user
>>> impersonation.
>>> • The account information may be stolen and used later by a malicious
>>> user.
>>>
>>> I've checked the Set-Cookie header, and found that the session id cookie
>>> has
>>> a future expiration date.
>>> So, my question is that why OFBiz stores sensitive information in
>>> persistent
>>> cookies instead of non-permanent cookie(RAM cookies) only and how to fix
>>> it.
>>> **
>>> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
>>> Secure attribute for sensitive cookies in HTTPS sessions is not set*
>>> **
>>> *Impact:*
>>> **
>>> •  It is possible to move the ability to enforce the cookie logic to the
>>> client-side (the browser). This could allow an attacker to send cookies
>>> he/she is
>>>  not authorized to send.
>>>
>>> I've checked the the Set-Cookie header, and found that the "secure"
>>> attribute is missing.
>>>
>>> Is there any property file where I can set that "secure" attribute for
>>> the
>>> cookie.
>>>
>>>
>>> Cheers,
>>> Frein
>>>
>>>
>>>
>>>
>>
>>
>
Reply | Threaded
Open this post in threaded view
|

RE: OFBiz security issues.

Anil Soni
Frein,

Refer this link http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php for cross site scripting solution.



-----Original Message-----
From: Frein Mccain [mailto:[hidden email]]
Sent: Monday, December 13, 2010 7:14 PM
To: [hidden email]
Subject: Re: OFBiz security issues.

My system is up and running with old code base of OFBiz and I am facing
Cross-Site-Scripting security issue. I've referred the issue
https://issues.apache.org/jira/browse/OFBIZ-1525 but not able to get the fix
for the issue.

Can anybody tell is this issue fixed in latest code, if yes than can you
share some patch or commit version so that I can make changes in my code to
fix fit.

@ David : I've checked the browser cookie and found that the session id
cookie has a future expiration date and there is no secure attribute.

And I am using embedded Tomcat server only. Do you have any idea about
cookie setting ?



On Thu, Dec 9, 2010 at 9:39 PM, Jacques Le Roux <
[hidden email]> wrote:

>  Hi Frein,
>
> Please use rather the user ML for such questions. There have been a large
> effort regarding security issues, refer to
> https://issues.apache.org/jira/browse/OFBIZ-1525
>
> Jacques
>
> ----- Original Message -----
> *From:* Frein Mccain <[hidden email]>
> *To:* Jacques Le Roux <[hidden email]>
> *Sent:* Thursday, December 09, 2010 2:54 PM
> *Subject:* Re: OFBiz security issues.
>
> Jacques,
>
> I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I am
> facing the same issue because I am using old code base.
> In this post you've post the commented that "this issue has been Fixed by
> recent security efforts", what does it mean ?
>
> I tried to search for patch for the fix so that I can make changes in my
> code...can you please help on this?
>
> On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux <
> [hidden email]> wrote:
>
>> Frein,
>>
>> Did you check David's suggestion?
>>
>>
>> Jacques
>>
>> From: "Frein Mccain" <[hidden email]>
>> Jacques,
>>
>> I am using 9.04 release.
>>
>> On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux <
>> [hidden email]> wrote:
>>
>> Which release.revision have you used?
>>>
>>> Jacques
>>>
>>> From: "Frein Mccain" <[hidden email]>
>>>
>>> I've developed an application on OFBiz and found some security issues
>>> during
>>> testing. Here are the list :
>>>
>>> *A. Information Leakage through persistent cookies : The web application
>>> stores sensitive session information in a permanent cookie (on disk)*
>>> **
>>> *Impact of this issue :*
>>> **
>>> * This information may be compromised or used for identity theft or user
>>> impersonation.
>>> * The account information may be stolen and used later by a malicious
>>> user.
>>>
>>> I've checked the Set-Cookie header, and found that the session id cookie
>>> has
>>> a future expiration date.
>>> So, my question is that why OFBiz stores sensitive information in
>>> persistent
>>> cookies instead of non-permanent cookie(RAM cookies) only and how to fix
>>> it.
>>> **
>>> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
>>> Secure attribute for sensitive cookies in HTTPS sessions is not set*
>>> **
>>> *Impact:*
>>> **
>>> *  It is possible to move the ability to enforce the cookie logic to the
>>> client-side (the browser). This could allow an attacker to send cookies
>>> he/she is
>>>  not authorized to send.
>>>
>>> I've checked the the Set-Cookie header, and found that the "secure"
>>> attribute is missing.
>>>
>>> Is there any property file where I can set that "secure" attribute for
>>> the
>>> cookie.
>>>
>>>
>>> Cheers,
>>> Frein
>>>
>>>
>>>
>>>
>>
>>
>

______________________________________________________________________

The contents of this e-mail and any attachment(s) may contain confidential or privileged information for the intended recipient(s). Unintended recipients are prohibited from taking action on the basis of information in this e-mail and  using or disseminating the information,  and must notify the sender and delete it from their system. L&T Infotech will not accept responsibility or liability for the accuracy or completeness of, or the presence of any virus or disabling code in this e-mail"

______________________________________________________________________
Reply | Threaded
Open this post in threaded view
|

Re: OFBiz security issues.

frein.mccain
Thanks Anil !!!

On Thu, Dec 16, 2010 at 12:29 PM, Anil Soni <[hidden email]>wrote:

> Frein,
>
> Refer this link
> http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.phpfor cross site scripting solution.
>
>
>
> -----Original Message-----
> From: Frein Mccain [mailto:[hidden email]]
> Sent: Monday, December 13, 2010 7:14 PM
> To: [hidden email]
> Subject: Re: OFBiz security issues.
>
> My system is up and running with old code base of OFBiz and I am facing
> Cross-Site-Scripting security issue. I've referred the issue
> https://issues.apache.org/jira/browse/OFBIZ-1525 but not able to get the
> fix
> for the issue.
>
> Can anybody tell is this issue fixed in latest code, if yes than can you
> share some patch or commit version so that I can make changes in my code to
> fix fit.
>
> @ David : I've checked the browser cookie and found that the session id
> cookie has a future expiration date and there is no secure attribute.
>
> And I am using embedded Tomcat server only. Do you have any idea about
> cookie setting ?
>
>
>
> On Thu, Dec 9, 2010 at 9:39 PM, Jacques Le Roux <
> [hidden email]> wrote:
>
> >  Hi Frein,
> >
> > Please use rather the user ML for such questions. There have been a large
> > effort regarding security issues, refer to
> > https://issues.apache.org/jira/browse/OFBIZ-1525
> >
> > Jacques
> >
> > ----- Original Message -----
> > *From:* Frein Mccain <[hidden email]>
> > *To:* Jacques Le Roux <[hidden email]>
> > *Sent:* Thursday, December 09, 2010 2:54 PM
> > *Subject:* Re: OFBiz security issues.
> >
> > Jacques,
> >
> > I've seen this post https://issues.apache.org/jira/browse/OFBIZ-260, I
> am
> > facing the same issue because I am using old code base.
> > In this post you've post the commented that "this issue has been Fixed by
> > recent security efforts", what does it mean ?
> >
> > I tried to search for patch for the fix so that I can make changes in my
> > code...can you please help on this?
> >
> > On Thu, Dec 9, 2010 at 3:14 PM, Jacques Le Roux <
> > [hidden email]> wrote:
> >
> >> Frein,
> >>
> >> Did you check David's suggestion?
> >>
> >>
> >> Jacques
> >>
> >> From: "Frein Mccain" <[hidden email]>
> >> Jacques,
> >>
> >> I am using 9.04 release.
> >>
> >> On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux <
> >> [hidden email]> wrote:
> >>
> >> Which release.revision have you used?
> >>>
> >>> Jacques
> >>>
> >>> From: "Frein Mccain" <[hidden email]>
> >>>
> >>> I've developed an application on OFBiz and found some security issues
> >>> during
> >>> testing. Here are the list :
> >>>
> >>> *A. Information Leakage through persistent cookies : The web
> application
> >>> stores sensitive session information in a permanent cookie (on disk)*
> >>> **
> >>> *Impact of this issue :*
> >>> **
> >>> * This information may be compromised or used for identity theft or
> user
> >>> impersonation.
> >>> * The account information may be stolen and used later by a malicious
> >>> user.
> >>>
> >>> I've checked the Set-Cookie header, and found that the session id
> cookie
> >>> has
> >>> a future expiration date.
> >>> So, my question is that why OFBiz stores sensitive information in
> >>> persistent
> >>> cookies instead of non-permanent cookie(RAM cookies) only and how to
> fix
> >>> it.
> >>> **
> >>> *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The
> >>> Secure attribute for sensitive cookies in HTTPS sessions is not set*
> >>> **
> >>> *Impact:*
> >>> **
> >>> *  It is possible to move the ability to enforce the cookie logic to
> the
> >>> client-side (the browser). This could allow an attacker to send cookies
> >>> he/she is
> >>>  not authorized to send.
> >>>
> >>> I've checked the the Set-Cookie header, and found that the "secure"
> >>> attribute is missing.
> >>>
> >>> Is there any property file where I can set that "secure" attribute for
> >>> the
> >>> cookie.
> >>>
> >>>
> >>> Cheers,
> >>> Frein
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >
>
> ______________________________________________________________________
>
> The contents of this e-mail and any attachment(s) may contain confidential
> or privileged information for the intended recipient(s). Unintended
> recipients are prohibited from taking action on the basis of information in
> this e-mail and  using or disseminating the information,  and must notify
> the sender and delete it from their system. L&T Infotech will not accept
> responsibility or liability for the accuracy or completeness of, or the
> presence of any virus or disabling code in this e-mail"
>
> ______________________________________________________________________
>