Reorganisation of newsletter OptInVerifyCodes

> Hi there,
>
> ive been working on some basic newsletter-signup stuff with OptInCodes.
> When accepting an OptInCode the user has to pass through 4 different
> variables (OptInCode + 3 primary keys).
> Other than this doesnt look nice at all for any given user it reveals some
> of our primary keys which has an impact on the security.
>
> This is how my url looks like:
>
> .../updateNewsletterStatus?contactListId=1000&partyId=10020&fromDate=2011-01-13
> 10:46:32.952&optInVerifyCode=9744644563
>
> I thought about creating an entity with one primary key and 4 foreign keys
> (from above url).
> The primary key could than be a hash value that is passed through by a
> user.
> What do you think about this idea?
>
> Greetings,
> Mirko
>
>
>
> Mirko Vogelsmeier
> Auszubildender Fachinformatiker AEW
> Lynx-Consulting GmbH
> Johanniskirchplatz 6
> 33615 Bielefeld
> Deutschland
> Fon: +49 521 5247-0
> Fax: +49 521 5247-250
> Mobil:
>
>
> Company and Management Headquarters:
> Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland
> Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de
>
> Court Registration: Amtsgericht Bielefeld HRB 35946
> Chief Executive Officers: Karsten Noss, Dirk Osterkamp
>
>
> ----------------------------------------------------------------------------------------------------
> This e-mail may contain trade secrets or privileged, undisclosed, or
> otherwise confidential information. If you have received this e-mail in
> error, you are hereby notified that any review, copying, or distribution of
> it is strictly prohibited. Please inform us immediately and destroy the
> original transmittal. Thank you for your cooperation.
>
> ----------------------------------------------------------------------------------------------------
>
>
>
> *****************************************************************************

> The main issue we focused here, was the fromDate parameter in the URL.
>
> fromDate=2011-01-13 10:46:32.952
>
> It's really bad have a space in the URL isn't it?
>
> 2011/1/13 Mirko Vogelsmeier <[hidden email]>
>
>> Hi there,
>>
>> ive been working on some basic newsletter-signup stuff with OptInCodes.
>> When accepting an OptInCode the user has to pass through 4 different
>> variables (OptInCode + 3 primary keys).
>> Other than this doesnt look nice at all for any given user it reveals some
>> of our primary keys which has an impact on the security.
>>
>> This is how my url looks like:
>>
>> .../updateNewsletterStatus?contactListId=1000&partyId=10020&fromDate=2011-01-13
>> 10:46:32.952&optInVerifyCode=9744644563
>>
>> I thought about creating an entity with one primary key and 4 foreign keys
>> (from above url).
>> The primary key could than be a hash value that is passed through by a
>> user.
>> What do you think about this idea?
>>
>> Greetings,
>> Mirko
>>
>>
>>
>> Mirko Vogelsmeier
>> Auszubildender Fachinformatiker AEW
>> Lynx-Consulting GmbH
>> Johanniskirchplatz 6
>> 33615 Bielefeld
>> Deutschland
>> Fon: +49 521 5247-0
>> Fax: +49 521 5247-250
>> Mobil:
>>
>>
>> Company and Management Headquarters:
>> Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland
>> Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de
>>
>> Court Registration: Amtsgericht Bielefeld HRB 35946
>> Chief Executive Officers: Karsten Noss, Dirk Osterkamp
>>
>>
>> ----------------------------------------------------------------------------------------------------
>> This e-mail may contain trade secrets or privileged, undisclosed, or
>> otherwise confidential information. If you have received this e-mail in
>> error, you are hereby notified that any review, copying, or distribution of
>> it is strictly prohibited. Please inform us immediately and destroy the
>> original transmittal. Thank you for your cooperation.
>>
>> ----------------------------------------------------------------------------------------------------
>>
>>
>>
>> *****************************************************************************
>
>
>
>
> --
> Sascha Rodekamp
>    Lynx-Consulting GmbH
>    Johanniskirchplatz 6
>    D-33615 Bielefeld
>    http://www.lynx.de
>

> Quick answer: are you using a get method with your action (I see these
> parameters in the URL)? Because this is bad for XSS. We use hidden fields
> with post. But maybe I completly missed the point ;o)
>
> Jacques
>
> From: "Sascha Rodekamp" <[hidden email]>
>
>  The main issue we focused here, was the fromDate parameter in the URL.
>>
>> fromDate=2011-01-13 10:46:32.952
>>
>> It's really bad have a space in the URL isn't it?
>>
>> 2011/1/13 Mirko Vogelsmeier <[hidden email]>
>>
>>  Hi there,
>>>
>>> ive been working on some basic newsletter-signup stuff with OptInCodes.
>>> When accepting an OptInCode the user has to pass through 4 different
>>> variables (OptInCode + 3 primary keys).
>>> Other than this doesnt look nice at all for any given user it reveals
>>> some
>>> of our primary keys which has an impact on the security.
>>>
>>> This is how my url looks like:
>>>
>>>
>>> .../updateNewsletterStatus?contactListId=1000&partyId=10020&fromDate=2011-01-13
>>> 10:46:32.952&optInVerifyCode=9744644563
>>>
>>> I thought about creating an entity with one primary key and 4 foreign
>>> keys
>>> (from above url).
>>> The primary key could than be a hash value that is passed through by a
>>> user.
>>> What do you think about this idea?
>>>
>>> Greetings,
>>> Mirko
>>>
>>>
>>>
>>> Mirko Vogelsmeier
>>> Auszubildender Fachinformatiker AEW
>>> Lynx-Consulting GmbH
>>> Johanniskirchplatz 6
>>> 33615 Bielefeld
>>> Deutschland
>>> Fon: +49 521 5247-0
>>> Fax: +49 521 5247-250
>>> Mobil:
>>>
>>>
>>> Company and Management Headquarters:
>>> Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland
>>> Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de
>>>
>>> Court Registration: Amtsgericht Bielefeld HRB 35946
>>> Chief Executive Officers: Karsten Noss, Dirk Osterkamp
>>>
>>>
>>>
>>> ----------------------------------------------------------------------------------------------------
>>> This e-mail may contain trade secrets or privileged, undisclosed, or
>>> otherwise confidential information. If you have received this e-mail in
>>> error, you are hereby notified that any review, copying, or distribution
>>> of
>>> it is strictly prohibited. Please inform us immediately and destroy the
>>> original transmittal. Thank you for your cooperation.
>>>
>>>
>>> ----------------------------------------------------------------------------------------------------
>>>
>>>
>>>
>>>
>>> *****************************************************************************
>>>
>>
>>
>>
>>
>> --
>> Sascha Rodekamp
>>   Lynx-Consulting GmbH
>>   Johanniskirchplatz 6
>>   D-33615 Bielefeld
>>   http://www.lynx.de
>>
>>
>

> Jep you're right, but what he is talking about is the double Opt In for
> Newsletter sign ups (You have to do this in germany).
> It means, when you hab signed up for a newsletter you got a mail with a
> verification link. Ofbiz generates this email but with a bunch of Get
> parameters which is really a security issue.
> So Mirko suggest to use only one hasCode which is translated internally.
> This should  minimize the risk of XSS and stuff.
>
> 2011/1/22 Jacques Le Roux <[hidden email]>
>
>> Quick answer: are you using a get method with your action (I see these
>> parameters in the URL)? Because this is bad for XSS. We use hidden fields
>> with post. But maybe I completly missed the point ;o)
>>
>> Jacques
>>
>> From: "Sascha Rodekamp" <[hidden email]>
>>
>>  The main issue we focused here, was the fromDate parameter in the URL.
>>>
>>> fromDate=2011-01-13 10:46:32.952
>>>
>>> It's really bad have a space in the URL isn't it?
>>>
>>> 2011/1/13 Mirko Vogelsmeier <[hidden email]>
>>>
>>>  Hi there,
>>>>
>>>> ive been working on some basic newsletter-signup stuff with OptInCodes.
>>>> When accepting an OptInCode the user has to pass through 4 different
>>>> variables (OptInCode + 3 primary keys).
>>>> Other than this doesnt look nice at all for any given user it reveals
>>>> some
>>>> of our primary keys which has an impact on the security.
>>>>
>>>> This is how my url looks like:
>>>>
>>>>
>>>> .../updateNewsletterStatus?contactListId=1000&partyId=10020&fromDate=2011-01-13
>>>> 10:46:32.952&optInVerifyCode=9744644563
>>>>
>>>> I thought about creating an entity with one primary key and 4 foreign
>>>> keys
>>>> (from above url).
>>>> The primary key could than be a hash value that is passed through by a
>>>> user.
>>>> What do you think about this idea?
>>>>
>>>> Greetings,
>>>> Mirko
>>>>
>>>>
>>>>
>>>> Mirko Vogelsmeier
>>>> Auszubildender Fachinformatiker AEW
>>>> Lynx-Consulting GmbH
>>>> Johanniskirchplatz 6
>>>> 33615 Bielefeld
>>>> Deutschland
>>>> Fon: +49 521 5247-0
>>>> Fax: +49 521 5247-250
>>>> Mobil:
>>>>
>>>>
>>>> Company and Management Headquarters:
>>>> Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland
>>>> Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de
>>>>
>>>> Court Registration: Amtsgericht Bielefeld HRB 35946
>>>> Chief Executive Officers: Karsten Noss, Dirk Osterkamp
>>>>
>>>>
>>>>
>>>> ----------------------------------------------------------------------------------------------------
>>>> This e-mail may contain trade secrets or privileged, undisclosed, or
>>>> otherwise confidential information. If you have received this e-mail in
>>>> error, you are hereby notified that any review, copying, or distribution
>>>> of
>>>> it is strictly prohibited. Please inform us immediately and destroy the
>>>> original transmittal. Thank you for your cooperation.
>>>>
>>>>
>>>> ----------------------------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>> *****************************************************************************
>>>>
>>>
>>>
>>>
>>>
>>> --
>>> Sascha Rodekamp
>>>   Lynx-Consulting GmbH
>>>   Johanniskirchplatz 6
>>>   D-33615 Bielefeld
>>>   http://www.lynx.de
>>>
>>>
>>
>
>
> --
> Sascha Rodekamp
>    Lynx-Consulting GmbH
>    Johanniskirchplatz 6
>    D-33615 Bielefeld
>    http://www.lynx.de
>