Vulnerability in OFBiz?
Locked
 
|
I saw this tweeted:
*Michele Orru'* @antisnatchor <https://twitter.com/#!/antisnatchor> - Reply Retweet Favorite · Open<https://twitter.com/#!/antisnatchor/status/191823272214659072> New XSSs on Apache OFBiz http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html<http://t.co/8OV2iHcr>=> after my recommendations years ago https://issues.apache.org/jira/browse/OFBIZ-1959 <https://t.co/RHyVfSy6>they are still vulnerable :D LOL How do we address this? Regards, Pierre |
Administrator
|
It's not quite clear if it's only a joke or not.
Because actually http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html were new vulnerabilites discovered by Matias Madou (mmadouhp.com) of Fortify/HP Security Research Group. Matias helped us to track them by giving precise URLs and ways of reproducing when Michele Orru' never answered precisely to our questions in this issue. The only way to be sure would be to reproduce what described Michelle in this issue... Jacques Pierre Smits wrote: > I saw this tweeted: > > *Michele Orru'* @antisnatchor <https://twitter.com/#!/antisnatchor> > > - Reply Retweet Favorite · > Open<https://twitter.com/#!/antisnatchor/status/191823272214659072> > > New XSSs on Apache OFBiz > http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html<http://t.co/8OV2iHcr>=> > after my recommendations years ago > https://issues.apache.org/jira/browse/OFBIZ-1959 > <https://t.co/RHyVfSy6>they are still vulnerable :D LOL > > > How do we address this? > > Regards, > > Pierre |
Re: Vulnerability in OFBiz?
|
|
In reply to this post by Pierre Smits
He is tweeting about the vulnerability announcement we did yesterday, that was fix with the release 10.04.02 of yesterday... I don't think there is anything new to comment about
Jacopo On Apr 16, 2012, at 11:43 AM, Pierre Smits wrote: > I saw this tweeted: > > *Michele Orru'* @antisnatchor <https://twitter.com/#!/antisnatchor> > > - Reply Retweet Favorite · > Open<https://twitter.com/#!/antisnatchor/status/191823272214659072> > > New XSSs on Apache OFBiz > http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html<http://t.co/8OV2iHcr>=> > after my recommendations years ago > https://issues.apache.org/jira/browse/OFBIZ-1959 > <https://t.co/RHyVfSy6>they are still vulnerable :D LOL > > > How do we address this? > > Regards, > > Pierre |
|
|
In reply to this post by Jacques Le Roux
Michele likes to claim credit for reporting all current and future OFBiz
vulnerabilities based on a very old Jira issue that was fixed long ago. He/she can be ignored. -Adrian On 4/16/2012 11:16 AM, Jacques Le Roux wrote: > It's not quite clear if it's only a joke or not. > > Because actually > http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html were > new vulnerabilites discovered by Matias Madou (mmadouhp.com) of > Fortify/HP Security Research Group. > Matias helped us to track them by giving precise URLs and ways of > reproducing when Michele Orru' never answered precisely to our > questions in this issue. > > The only way to be sure would be to reproduce what described Michelle > in this issue... > > Jacques > > Pierre Smits wrote: >> I saw this tweeted: >> >> *Michele Orru'* @antisnatchor <https://twitter.com/#!/antisnatchor> >> >> - Reply Retweet Favorite · >> Open<https://twitter.com/#!/antisnatchor/status/191823272214659072> >> >> New XSSs on Apache OFBiz >> http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html<http://t.co/8OV2iHcr>=> >> >> after my recommendations years ago >> https://issues.apache.org/jira/browse/OFBIZ-1959 >> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL >> >> >> How do we address this? >> >> Regards, >> >> Pierre > |
|
|
So if I understand it correctly the vulnerability issue is regarding
10.04.01 and has been fixed with 10.04.02. That's why we urge end users to upgrade. Op 16 april 2012 12:31 schreef Adrian Crum < [hidden email]> het volgende: > Michele likes to claim credit for reporting all current and future OFBiz > vulnerabilities based on a very old Jira issue that was fixed long ago. > He/she can be ignored. > > -Adrian > > > On 4/16/2012 11:16 AM, Jacques Le Roux wrote: > >> It's not quite clear if it's only a joke or not. >> >> Because actually http://archives.neohapsis.com/** >> archives/fulldisclosure/2012-**04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html>were new vulnerabilites discovered by Matias Madou ( >> mmadouhp.com) of Fortify/HP Security Research Group. >> Matias helped us to track them by giving precise URLs and ways of >> reproducing when Michele Orru' never answered precisely to our questions >> in this issue. >> >> The only way to be sure would be to reproduce what described Michelle in >> this issue... >> >> Jacques >> >> Pierre Smits wrote: >> >>> I saw this tweeted: >>> >>> *Michele Orru'* @antisnatchor <https://twitter.com/#!/**antisnatchor<https://twitter.com/#!/antisnatchor> >>> > >>> >>> - Reply Retweet Favorite · >>> Open<https://twitter.com/#!/**antisnatchor/status/**191823272214659072<https://twitter.com/#!/antisnatchor/status/191823272214659072> >>> > >>> >>> New XSSs on Apache OFBiz >>> http://archives.neohapsis.com/**archives/fulldisclosure/2012-** >>> 04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html> >>> <http://t.co/**8OV2iHcr <http://t.co/8OV2iHcr>>=> >>> after my recommendations years ago >>> https://issues.apache.org/**jira/browse/OFBIZ-1959<https://issues.apache.org/jira/browse/OFBIZ-1959> >>> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL >>> >>> >>> How do we address this? >>> >>> Regards, >>> >>> Pierre >>> >> >> |
|
|
Correct. In addition, users of the release branches and trunk should
update their local copies to the latest revisions. -Adrian On 4/16/2012 11:47 AM, Pierre Smits wrote: > So if I understand it correctly the vulnerability issue is regarding > 10.04.01 and has been fixed with 10.04.02. That's why we urge end users to > upgrade. > > > Op 16 april 2012 12:31 schreef Adrian Crum< > [hidden email]> het volgende: > >> Michele likes to claim credit for reporting all current and future OFBiz >> vulnerabilities based on a very old Jira issue that was fixed long ago. >> He/she can be ignored. >> >> -Adrian >> >> >> On 4/16/2012 11:16 AM, Jacques Le Roux wrote: >> >>> It's not quite clear if it's only a joke or not. >>> >>> Because actually http://archives.neohapsis.com/** >>> archives/fulldisclosure/2012-**04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html>were new vulnerabilites discovered by Matias Madou ( >>> mmadouhp.com) of Fortify/HP Security Research Group. >>> Matias helped us to track them by giving precise URLs and ways of >>> reproducing when Michele Orru' never answered precisely to our questions >>> in this issue. >>> >>> The only way to be sure would be to reproduce what described Michelle in >>> this issue... >>> >>> Jacques >>> >>> Pierre Smits wrote: >>> >>>> I saw this tweeted: >>>> >>>> *Michele Orru'* @antisnatchor<https://twitter.com/#!/**antisnatchor<https://twitter.com/#!/antisnatchor> >>>> - Reply Retweet Favorite · >>>> Open<https://twitter.com/#!/**antisnatchor/status/**191823272214659072<https://twitter.com/#!/antisnatchor/status/191823272214659072> >>>> New XSSs on Apache OFBiz >>>> http://archives.neohapsis.com/**archives/fulldisclosure/2012-** >>>> 04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html> >>>> <http://t.co/**8OV2iHcr<http://t.co/8OV2iHcr>>=> >>>> after my recommendations years ago >>>> https://issues.apache.org/**jira/browse/OFBIZ-1959<https://issues.apache.org/jira/browse/OFBIZ-1959> >>>> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL >>>> >>>> >>>> How do we address this? >>>> >>>> Regards, >>>> >>>> Pierre >>>> >>> |
|
Administrator
|
In reply to this post by Jacques Le Roux
Mmm... re-reading OFBIZ-1959, I need to be more precises on that...
Actually Michelle helped us much. But he did not answer to our last questions (David's and I). Nobody ever reported XRSS issues but it's quite possible there are still... Jacques Jacques Le Roux wrote: > It's not quite clear if it's only a joke or not. > > Because actually http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html were new vulnerabilites discovered by > Matias Madou (mmadouhp.com) of Fortify/HP Security Research Group. > Matias helped us to track them by giving precise URLs and ways of reproducing when Michele Orru' never answered precisely to our > questions in this issue. > > The only way to be sure would be to reproduce what described Michelle in this issue... > > Jacques > > Pierre Smits wrote: >> I saw this tweeted: >> >> *Michele Orru'* @antisnatchor <https://twitter.com/#!/antisnatchor> >> >> - Reply Retweet Favorite · >> Open<https://twitter.com/#!/antisnatchor/status/191823272214659072> >> >> New XSSs on Apache OFBiz >> http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html<http://t.co/8OV2iHcr>=> >> after my recommendations years ago >> https://issues.apache.org/jira/browse/OFBIZ-1959 >> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL >> >> >> How do we address this? >> >> Regards, >> >> Pierre |
|
Administrator
|
In reply to this post by Adrian Crum-3
He: https://twitter.com/#!/antisnatchor
Jacques Adrian Crum wrote: > Michele likes to claim credit for reporting all current and future OFBiz > vulnerabilities based on a very old Jira issue that was fixed long ago. > He/she can be ignored. > > -Adrian > > On 4/16/2012 11:16 AM, Jacques Le Roux wrote: >> It's not quite clear if it's only a joke or not. >> >> Because actually >> http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html were >> new vulnerabilites discovered by Matias Madou (mmadouhp.com) of >> Fortify/HP Security Research Group. >> Matias helped us to track them by giving precise URLs and ways of >> reproducing when Michele Orru' never answered precisely to our >> questions in this issue. >> >> The only way to be sure would be to reproduce what described Michelle >> in this issue... >> >> Jacques >> >> Pierre Smits wrote: >>> I saw this tweeted: >>> >>> *Michele Orru'* @antisnatchor <https://twitter.com/#!/antisnatchor> >>> >>> - Reply Retweet Favorite · >>> Open<https://twitter.com/#!/antisnatchor/status/191823272214659072> >>> >>> New XSSs on Apache OFBiz >>> http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html<http://t.co/8OV2iHcr>=> >>> >>> after my recommendations years ago >>> https://issues.apache.org/jira/browse/OFBIZ-1959 >>> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL >>> >>> >>> How do we address this? >>> >>> Regards, >>> >>> Pierre |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |