Hi All,
Recently for one of the client's deployment, I am getting a serious security issue - Some of frontend customers has reported that when they had login to site then the it was opened as loggedin with different user account. And they were able to access "my account" of that user. I can confirm that 1. there is no close network connection between both of the customers (one who was accessing the site & one whose account has opened). 2. Both user has different username exist in system. 3. The account which was showing as logged in, has not accessed the site since long. This issue has reported by many users and causing serious problems. Can someone help me by giving any clue why it is happening? Any solution? -- Thanks and Regards Sumit Pandit
Thanks And Regards
Sumit Pandit |
Hi Sumit,
You're providing little information to go on with. Can you at least provide some server logs, the context on which this happened, users feedback, the environment in which the system is running, which screen, customization done to the framework? Taher Alkhateeb On Jul 29, 2015 5:07 PM, "Sumit Pandit" <[hidden email]> wrote: > Hi All, > Recently for one of the client's deployment, I am getting a serious > security issue - > > Some of frontend customers has reported that when they had login to site > then the it was opened as loggedin with different user account. And they > were able to access "my account" of that user. > > I can confirm that > 1. there is no close network connection between both of the customers (one > who was accessing the site & one whose account has opened). > 2. Both user has different username exist in system. > 3. The account which was showing as logged in, has not accessed the site > since long. > > This issue has reported by many users and causing serious problems. > > Can someone help me by giving any clue why it is happening? Any solution? > > -- > Thanks and Regards > Sumit Pandit > |
Hi Taher, Appreciate your revert,
Logs has already analyzed, logger is set to warning and nothing is available there, it is like normal user login with not error/warning printed. For user's feedback reference, I have a screenshot which he had shared showing my account of that user. There are no customization done at framework level, Project is using default ecommerce login of OFBiz. Server is running on Linux box with postgres DB. That are all answers of your questions. I would provide more details as your request. On Wed, Jul 29, 2015 at 8:15 PM, Taher Alkhateeb <[hidden email] > wrote: > Hi Sumit, > > You're providing little information to go on with. Can you at least provide > some server logs, the context on which this happened, users feedback, the > environment in which the system is running, which screen, customization > done to the framework? > > Taher Alkhateeb > On Jul 29, 2015 5:07 PM, "Sumit Pandit" <[hidden email]> wrote: > > > Hi All, > > Recently for one of the client's deployment, I am getting a serious > > security issue - > > > > Some of frontend customers has reported that when they had login to site > > then the it was opened as loggedin with different user account. And they > > were able to access "my account" of that user. > > > > I can confirm that > > 1. there is no close network connection between both of the customers > (one > > who was accessing the site & one whose account has opened). > > 2. Both user has different username exist in system. > > 3. The account which was showing as logged in, has not accessed the site > > since long. > > > > This issue has reported by many users and causing serious problems. > > > > Can someone help me by giving any clue why it is happening? Any solution? > > > > -- > > Thanks and Regards > > Sumit Pandit > > > -- Thanks and Regards Sumit Pandit
Thanks And Regards
Sumit Pandit |
Administrator
|
Which version are you using?
Jacques Le 29/07/2015 17:23, Sumit Pandit a écrit : > Hi Taher, Appreciate your revert, > > Logs has already analyzed, logger is set to warning and nothing is > available there, it is like normal user login with not error/warning > printed. For user's feedback reference, I have a screenshot which he had > shared showing my account of that user. > There are no customization done at framework level, Project is using > default ecommerce login of OFBiz. > > Server is running on Linux box with postgres DB. > That are all answers of your questions. I would provide more details as > your request. > > > On Wed, Jul 29, 2015 at 8:15 PM, Taher Alkhateeb <[hidden email] >> wrote: >> Hi Sumit, >> >> You're providing little information to go on with. Can you at least provide >> some server logs, the context on which this happened, users feedback, the >> environment in which the system is running, which screen, customization >> done to the framework? >> >> Taher Alkhateeb >> On Jul 29, 2015 5:07 PM, "Sumit Pandit" <[hidden email]> wrote: >> >>> Hi All, >>> Recently for one of the client's deployment, I am getting a serious >>> security issue - >>> >>> Some of frontend customers has reported that when they had login to site >>> then the it was opened as loggedin with different user account. And they >>> were able to access "my account" of that user. >>> >>> I can confirm that >>> 1. there is no close network connection between both of the customers >> (one >>> who was accessing the site & one whose account has opened). >>> 2. Both user has different username exist in system. >>> 3. The account which was showing as logged in, has not accessed the site >>> since long. >>> >>> This issue has reported by many users and causing serious problems. >>> >>> Can someone help me by giving any clue why it is happening? Any solution? >>> >>> -- >>> Thanks and Regards >>> Sumit Pandit >>> > > |
In Addition to Jacques's question, what is the exact URL being accessed in the beginning?
Also if possible, can you give us the exact steps to repeat? For example, Person A log in to URL xyz, then clicks the logout button, then person B enters the URL abc on the same computer and he is automatically loggged in. It is important to see the "Exact URL" and exact steps and if possible also the controller.xml entry corresponding to this URL. Taher Alkhateeb ----- Original Message ----- From: "Jacques Le Roux" <[hidden email]> To: [hidden email] Sent: Wednesday, 29 July, 2015 6:42:03 PM Subject: Re: Unauthorized user loggedin Which version are you using? Jacques Le 29/07/2015 17:23, Sumit Pandit a écrit : > Hi Taher, Appreciate your revert, > > Logs has already analyzed, logger is set to warning and nothing is > available there, it is like normal user login with not error/warning > printed. For user's feedback reference, I have a screenshot which he had > shared showing my account of that user. > There are no customization done at framework level, Project is using > default ecommerce login of OFBiz. > > Server is running on Linux box with postgres DB. > That are all answers of your questions. I would provide more details as > your request. > > > On Wed, Jul 29, 2015 at 8:15 PM, Taher Alkhateeb <[hidden email] >> wrote: >> Hi Sumit, >> >> You're providing little information to go on with. Can you at least provide >> some server logs, the context on which this happened, users feedback, the >> environment in which the system is running, which screen, customization >> done to the framework? >> >> Taher Alkhateeb >> On Jul 29, 2015 5:07 PM, "Sumit Pandit" <[hidden email]> wrote: >> >>> Hi All, >>> Recently for one of the client's deployment, I am getting a serious >>> security issue - >>> >>> Some of frontend customers has reported that when they had login to site >>> then the it was opened as loggedin with different user account. And they >>> were able to access "my account" of that user. >>> >>> I can confirm that >>> 1. there is no close network connection between both of the customers >> (one >>> who was accessing the site & one whose account has opened). >>> 2. Both user has different username exist in system. >>> 3. The account which was showing as logged in, has not accessed the site >>> since long. >>> >>> This issue has reported by many users and causing serious problems. >>> >>> Can someone help me by giving any clue why it is happening? Any solution? >>> >>> -- >>> Thanks and Regards >>> Sumit Pandit >>> > > |
Hi Jacques, It is at 12.04 r1662960.
And Taher, for which page! I am not sure. As I have mentioned that it was reported by end user and he has informed that when he accessed the site he found himself loggedin. The issue is on production deployment and has reported by couple of users only. Not occurring for everyone. It was not produced at staging or development server. BTW the case - Person A log in to URL xyz, then clicks the logout button, then person B enters the URL abc on the same computer and he is automatically logged in It is not possible, since it is confirmed that Person A & Person B are living in different cities. They does not share common computer even not network. One thing that I should mentioned that it is upgrade deployment from 11 to 12 where ofbiz is at 12.04 r1662960 and ecommerce is customize to fix upgrade issues. We are connecting to *same db* as it exist for production *env at 11.* Following are entries of controller.xml for login & main page <request-map uri="main"><response name="success" type="view" value="main" save-current-view="true"/></request-map> <request-map uri="login"> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="login"/> <response name="success" type="view" value="home"/> <response name="error" type="view" value="login"/> </request-map> On Wed, Jul 29, 2015 at 10:51 PM, Taher Alkhateeb < [hidden email]> wrote: > In Addition to Jacques's question, what is the exact URL being accessed in > the beginning? > > Also if possible, can you give us the exact steps to repeat? For example, > Person A log in to URL xyz, then clicks the logout button, then person B > enters the URL abc on the same computer and he is automatically loggged in. > It is important to see the "Exact URL" and exact steps and if possible also > the controller.xml entry corresponding to this URL. > > Taher Alkhateeb > > ----- Original Message ----- > > From: "Jacques Le Roux" <[hidden email]> > To: [hidden email] > Sent: Wednesday, 29 July, 2015 6:42:03 PM > Subject: Re: Unauthorized user loggedin > > Which version are you using? > > Jacques > > Le 29/07/2015 17:23, Sumit Pandit a écrit : > > Hi Taher, Appreciate your revert, > > > > Logs has already analyzed, logger is set to warning and nothing is > > available there, it is like normal user login with not error/warning > > printed. For user's feedback reference, I have a screenshot which he had > > shared showing my account of that user. > > There are no customization done at framework level, Project is using > > default ecommerce login of OFBiz. > > > > Server is running on Linux box with postgres DB. > > That are all answers of your questions. I would provide more details as > > your request. > > > > > > On Wed, Jul 29, 2015 at 8:15 PM, Taher Alkhateeb < > [hidden email] > >> wrote: > >> Hi Sumit, > >> > >> You're providing little information to go on with. Can you at least > provide > >> some server logs, the context on which this happened, users feedback, > the > >> environment in which the system is running, which screen, customization > >> done to the framework? > >> > >> Taher Alkhateeb > >> On Jul 29, 2015 5:07 PM, "Sumit Pandit" <[hidden email]> wrote: > >> > >>> Hi All, > >>> Recently for one of the client's deployment, I am getting a serious > >>> security issue - > >>> > >>> Some of frontend customers has reported that when they had login to > site > >>> then the it was opened as loggedin with different user account. And > they > >>> were able to access "my account" of that user. > >>> > >>> I can confirm that > >>> 1. there is no close network connection between both of the customers > >> (one > >>> who was accessing the site & one whose account has opened). > >>> 2. Both user has different username exist in system. > >>> 3. The account which was showing as logged in, has not accessed the > site > >>> since long. > >>> > >>> This issue has reported by many users and causing serious problems. > >>> > >>> Can someone help me by giving any clue why it is happening? Any > solution? > >>> > >>> -- > >>> Thanks and Regards > >>> Sumit Pandit > >>> > > > > > > -- Thanks and Regards Sumit Pandit
Thanks And Regards
Sumit Pandit |
Hi Sumit,
Without a URL it would be difficult to debug your application especially since you have customized it. Your issue requires some debugging. Can you repeat? Taher Alkhateeb On Jul 29, 2015 8:56 PM, "Sumit Pandit" <[hidden email]> wrote: > Hi Jacques, It is at 12.04 r1662960. > > And Taher, for which page! I am not sure. As I have mentioned that it was > reported by end user and he has informed that when he accessed the site he > found himself loggedin. The issue is on production deployment and has > reported by couple of users only. Not occurring for everyone. It was not > produced at staging or development server. > > BTW the case - > Person A log in to URL xyz, then clicks the logout button, then person B > enters the URL abc on the same computer and he is automatically logged in > It is not possible, since it is confirmed that Person A & Person B are > living in different cities. They does not share common computer even not > network. > > > One thing that I should mentioned that it is upgrade deployment from 11 to > 12 where ofbiz is at 12.04 r1662960 and ecommerce is customize to fix > upgrade issues. > We are connecting to *same db* as it exist for production *env at 11.* > > > Following are entries of controller.xml for login & main page > > <request-map uri="main"><response name="success" type="view" value="main" > save-current-view="true"/></request-map> > <request-map uri="login"> > <event type="java" path="org.ofbiz.webapp.control.LoginWorker" > invoke="login"/> > <response name="success" type="view" value="home"/> > <response name="error" type="view" value="login"/> > </request-map> > > > > On Wed, Jul 29, 2015 at 10:51 PM, Taher Alkhateeb < > [hidden email]> wrote: > > > In Addition to Jacques's question, what is the exact URL being accessed > in > > the beginning? > > > > Also if possible, can you give us the exact steps to repeat? For example, > > Person A log in to URL xyz, then clicks the logout button, then person B > > enters the URL abc on the same computer and he is automatically loggged > in. > > It is important to see the "Exact URL" and exact steps and if possible > also > > the controller.xml entry corresponding to this URL. > > > > Taher Alkhateeb > > > > ----- Original Message ----- > > > > From: "Jacques Le Roux" <[hidden email]> > > To: [hidden email] > > Sent: Wednesday, 29 July, 2015 6:42:03 PM > > Subject: Re: Unauthorized user loggedin > > > > Which version are you using? > > > > Jacques > > > > Le 29/07/2015 17:23, Sumit Pandit a écrit : > > > Hi Taher, Appreciate your revert, > > > > > > Logs has already analyzed, logger is set to warning and nothing is > > > available there, it is like normal user login with not error/warning > > > printed. For user's feedback reference, I have a screenshot which he > had > > > shared showing my account of that user. > > > There are no customization done at framework level, Project is using > > > default ecommerce login of OFBiz. > > > > > > Server is running on Linux box with postgres DB. > > > That are all answers of your questions. I would provide more details as > > > your request. > > > > > > > > > On Wed, Jul 29, 2015 at 8:15 PM, Taher Alkhateeb < > > [hidden email] > > >> wrote: > > >> Hi Sumit, > > >> > > >> You're providing little information to go on with. Can you at least > > provide > > >> some server logs, the context on which this happened, users feedback, > > the > > >> environment in which the system is running, which screen, > customization > > >> done to the framework? > > >> > > >> Taher Alkhateeb > > >> On Jul 29, 2015 5:07 PM, "Sumit Pandit" <[hidden email]> > wrote: > > >> > > >>> Hi All, > > >>> Recently for one of the client's deployment, I am getting a serious > > >>> security issue - > > >>> > > >>> Some of frontend customers has reported that when they had login to > > site > > >>> then the it was opened as loggedin with different user account. And > > they > > >>> were able to access "my account" of that user. > > >>> > > >>> I can confirm that > > >>> 1. there is no close network connection between both of the customers > > >> (one > > >>> who was accessing the site & one whose account has opened). > > >>> 2. Both user has different username exist in system. > > >>> 3. The account which was showing as logged in, has not accessed the > > site > > >>> since long. > > >>> > > >>> This issue has reported by many users and causing serious problems. > > >>> > > >>> Can someone help me by giving any clue why it is happening? Any > > solution? > > >>> > > >>> -- > > >>> Thanks and Regards > > >>> Sumit Pandit > > >>> > > > > > > > > > > > > > -- > Thanks and Regards > Sumit Pandit > |
It would be any url. There is no customization in login services or any
other framework services. This issue is not predictable. I think it is an issue of session. Somehow it might be shared. On Thu, Jul 30, 2015 at 12:49 AM, Taher Alkhateeb < [hidden email]> wrote: > Hi Sumit, > > Without a URL it would be difficult to debug your application especially > since you have customized it. Your issue requires some debugging. Can you > repeat? > > Taher Alkhateeb > On Jul 29, 2015 8:56 PM, "Sumit Pandit" <[hidden email]> wrote: > > > Hi Jacques, It is at 12.04 r1662960. > > > > And Taher, for which page! I am not sure. As I have mentioned that it was > > reported by end user and he has informed that when he accessed the site > he > > found himself loggedin. The issue is on production deployment and has > > reported by couple of users only. Not occurring for everyone. It was not > > produced at staging or development server. > > > > BTW the case - > > Person A log in to URL xyz, then clicks the logout button, then person B > > enters the URL abc on the same computer and he is automatically logged in > > It is not possible, since it is confirmed that Person A & Person B are > > living in different cities. They does not share common computer even not > > network. > > > > > > One thing that I should mentioned that it is upgrade deployment from 11 > to > > 12 where ofbiz is at 12.04 r1662960 and ecommerce is customize to fix > > upgrade issues. > > We are connecting to *same db* as it exist for production *env at 11.* > > > > > > Following are entries of controller.xml for login & main page > > > > <request-map uri="main"><response name="success" type="view" value="main" > > save-current-view="true"/></request-map> > > <request-map uri="login"> > > <event type="java" path="org.ofbiz.webapp.control.LoginWorker" > > invoke="login"/> > > <response name="success" type="view" value="home"/> > > <response name="error" type="view" value="login"/> > > </request-map> > > > > > > > > On Wed, Jul 29, 2015 at 10:51 PM, Taher Alkhateeb < > > [hidden email]> wrote: > > > > > In Addition to Jacques's question, what is the exact URL being accessed > > in > > > the beginning? > > > > > > Also if possible, can you give us the exact steps to repeat? For > example, > > > Person A log in to URL xyz, then clicks the logout button, then person > B > > > enters the URL abc on the same computer and he is automatically loggged > > in. > > > It is important to see the "Exact URL" and exact steps and if possible > > also > > > the controller.xml entry corresponding to this URL. > > > > > > Taher Alkhateeb > > > > > > ----- Original Message ----- > > > > > > From: "Jacques Le Roux" <[hidden email]> > > > To: [hidden email] > > > Sent: Wednesday, 29 July, 2015 6:42:03 PM > > > Subject: Re: Unauthorized user loggedin > > > > > > Which version are you using? > > > > > > Jacques > > > > > > Le 29/07/2015 17:23, Sumit Pandit a écrit : > > > > Hi Taher, Appreciate your revert, > > > > > > > > Logs has already analyzed, logger is set to warning and nothing is > > > > available there, it is like normal user login with not error/warning > > > > printed. For user's feedback reference, I have a screenshot which he > > had > > > > shared showing my account of that user. > > > > There are no customization done at framework level, Project is using > > > > default ecommerce login of OFBiz. > > > > > > > > Server is running on Linux box with postgres DB. > > > > That are all answers of your questions. I would provide more details > as > > > > your request. > > > > > > > > > > > > On Wed, Jul 29, 2015 at 8:15 PM, Taher Alkhateeb < > > > [hidden email] > > > >> wrote: > > > >> Hi Sumit, > > > >> > > > >> You're providing little information to go on with. Can you at least > > > provide > > > >> some server logs, the context on which this happened, users > feedback, > > > the > > > >> environment in which the system is running, which screen, > > customization > > > >> done to the framework? > > > >> > > > >> Taher Alkhateeb > > > >> On Jul 29, 2015 5:07 PM, "Sumit Pandit" <[hidden email]> > > wrote: > > > >> > > > >>> Hi All, > > > >>> Recently for one of the client's deployment, I am getting a serious > > > >>> security issue - > > > >>> > > > >>> Some of frontend customers has reported that when they had login to > > > site > > > >>> then the it was opened as loggedin with different user account. And > > > they > > > >>> were able to access "my account" of that user. > > > >>> > > > >>> I can confirm that > > > >>> 1. there is no close network connection between both of the > customers > > > >> (one > > > >>> who was accessing the site & one whose account has opened). > > > >>> 2. Both user has different username exist in system. > > > >>> 3. The account which was showing as logged in, has not accessed the > > > site > > > >>> since long. > > > >>> > > > >>> This issue has reported by many users and causing serious problems. > > > >>> > > > >>> Can someone help me by giving any clue why it is happening? Any > > > solution? > > > >>> > > > >>> -- > > > >>> Thanks and Regards > > > >>> Sumit Pandit > > > >>> > > > > > > > > > > > > > > > > > > > > -- > > Thanks and Regards > > Sumit Pandit > > > -- Thanks and Regards Sumit Pandit
Thanks And Regards
Sumit Pandit |
Free forum by Nabble | Edit this page |