[
https://issues.apache.org/jira/browse/OFBIZ-12043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17218925#comment-17218925 ]
Deepak Dixit edited comment on OFBIZ-12043 at 10/22/20, 11:02 AM:
------------------------------------------------------------------
Hi MrR3Boot,
This is not an issue, you need to configure the allowed header in security.property[1] file.
By default following hosts are configured, as per need user needs to modify host headers
host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
[1] [
https://github.com/apache/ofbiz-framework/blob/trunk/framework/security/config/security.properties#L157]
was (Author: deepak.dixit):
Hi MrR3Boot,
This is not an issue, you need to configure the allowed header in security.property[1] file.
By default following following host are configured, as per need user need to add valid host header
host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
[1]
https://github.com/apache/ofbiz-framework/blob/trunk/framework/security/config/security.properties#L157> Host Header Injection still present on present release
> ------------------------------------------------------
>
> Key: OFBIZ-12043
> URL:
https://issues.apache.org/jira/browse/OFBIZ-12043> Project: OFBiz
> Issue Type: Bug
> Affects Versions: 17.12.04
> Reporter: MrR3boot
> Priority: Major
> Labels: security
>
> It look like CVE-2019-12425 is not properly fixed in the 17.12.0.4 release. I can login to the application by changing host header to 127.0.0.1 and can access other applications.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
