OFBiz OFBiz - Dev

Security issue?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Dimitri Unruh-2
Reply | Threaded
Open this post in threaded view
|

Security issue?

Dimitri Unruh-2
Hi everybody,

I got a strange behavior with request chaining.

Should we allow following request for an anonymus user?
http://demo-trunk.ofbiz.apache.org/ecommerce/control/view/ordercomplete
http://demo-trunk.ofbiz.apache.org/ecommerce/control/view/viewprofile
http://demo-trunk.ofbiz.apache.org/ecommerce/control/view/changepassword

I know, that a screen should check permissions, but anyway....

What dou you think?


Viele Grüße
Best Regards


Dimitri Unruh
Consultant AEW
Lynx-Consulting GmbH
Johanniskirchplatz 6
33615 Bielefeld
Deutschland
Fon: +49 521 5247-0
Fax: +49 521 5247-250
Mobil: +49 160 90 57 55 13


Unser Lynx News-Service bietet Ihnen Wissenswertes aus der Beratungspraxis und liefert Ihnen Informationen zu unseren Veranstaltungen.

Lernen Sie auch unsere Lynx-Akademie kennen!


Company and Management Headquarters:
Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland
Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de

Court Registration: Amtsgericht Bielefeld HRB 35946
Chief Executive Officers: Karsten Noss, Dirk Osterkamp


http://www.lynx.de/haftungsausschluss
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: Security issue?

Jacques Le Roux
Administrator
Actually from the UI side this is not permitted. If you do otherwise, or if the user use urls then it needs to be handled one way or
another. For me it's not a pb for OFBiz OOTB though...

Jacques

Dimitri Unruh wrote:

> Hi everybody,
>
> I got a strange behavior with request chaining.
>
> Should we allow following request for an anonymus user?
> http://demo-trunk.ofbiz.apache.org/ecommerce/control/view/ordercomplete
> http://demo-trunk.ofbiz.apache.org/ecommerce/control/view/viewprofile
> http://demo-trunk.ofbiz.apache.org/ecommerce/control/view/changepassword
>
> I know, that a screen should check permissions, but anyway....
>
> What dou you think?
>
>
> Viele Grüße
> Best Regards
>
>
> Dimitri Unruh
> Consultant AEW
> Lynx-Consulting GmbH
> Johanniskirchplatz 6
> 33615 Bielefeld
> Deutschland
> Fon: +49 521 5247-0
> Fax: +49 521 5247-250
> Mobil: +49 160 90 57 55 13
>
>
> Unser Lynx News-Service bietet Ihnen Wissenswertes aus der Beratungspraxis und liefert Ihnen Informationen zu unseren
> Veranstaltungen.
>
> Lernen Sie auch unsere Lynx-Akademie kennen!
>
>
> Company and Management Headquarters:
> Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland
> Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de
>
> Court Registration: Amtsgericht Bielefeld HRB 35946
> Chief Executive Officers: Karsten Noss, Dirk Osterkamp
>
>
> http://www.lynx.de/haftungsausschluss 
Free forum by Nabble Edit this page