OFBiz › OFBiz - User

Security Related Issues in OFBiz

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

2 messages Options

vivek.mi

Security Related Issues in OFBiz

Hello All,

A few issues were reported while testing my application using IBM AppScan
tool, built upon OFBiz framework for Blackbox testing. Issues are listed as
below:

1. Unsafe third-party link (target="_blank") in screens and forms.

2. Query Parameter in SSL Request while sending hidden fields in XML and FTL
forms.

3. Body Parameters Accepted in Query

4. Archive File Download

5. Cacheable SSL Page Found

Please suggest something how can i go ahead to resolve these issues. I am
using OFBiz version 12.05.

Thanks in advance,
Vivek Mishra

-----
Vivek Mishra
--
Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html

Vivek Mishra

Jacopo Cappellato-5

Re: Security Related Issues in OFBiz

Hi Vivek,

the best way to go is to use a release that is part of a release branch
that is still actively maintained:

https://ofbiz.apache.org/download.html

Security vulnerabilities on active branches should be reported to the OFBiz
security list: [hidden email]

Thank you,

Jacopo

On Tue, Dec 19, 2017 at 6:40 AM, vivek.mi <[hidden email]> wrote:

> Hello All,
>
> A few issues were reported while testing my application using IBM AppScan
> tool, built upon OFBiz framework for Blackbox testing. Issues are listed as
> below:
>
> 1. Unsafe third-party link (target="_blank") in screens and forms.
>
> 2. Query Parameter in SSL Request while sending hidden fields in XML and
> FTL
> forms.
>
> 3. Body Parameters Accepted in Query
>
> 4. Archive File Download
>
> 5. Cacheable SSL Page Found
>
> Please suggest something how can i go ahead to resolve these issues. I am
> using OFBiz version 12.05.
>
> Thanks in advance,
> Vivek Mishra
>
>
>
> -----
> Vivek Mishra
> --
> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>