Posted by
BJ Freeman on
URL: http://ofbiz.116.s1.nabble.com/Users-Hidden-partyId-Security-Risk-tp137366p137374.html
both of those are ofbiz Id's without the corresponding data, in the
database, this is useless information.
if some tried to post this to ofbiz, they would run into the
certificate, then User privileges, the Security before any information
would be revealed about the cc.
The information, since ver 3.1, is encrypted in the DB so it would be
difficult, or impossible to retrieve such data.
I believe it would pass a security audit.
Vinay Agarwal sent the following on 2/10/06 8:23 AM:
> Another similar case in
> applications/ecommerce/webapp/ecommerce/customer/editcreditcard.ftl which
> contains
>
> <input type="hidden" name="paymentMethodId"
> value="${paymentMethodId}">
>
> And this application is designed for public use. What am I missing here?
>
>
>
> Regards,
>
> Vinay Agarwal
>
>
>
> -----Original Message-----
> From: Vinay Agarwal [mailto:
[hidden email]]
> Sent: Friday, February 10, 2006 8:17 AM
> To: 'OFBiz Users / Usage Discussion'
> Subject: Hidden partyId - Security Risk?
>
>
>
> Hello,
>
>
>
> While going through credit card entry ftl's, I came across
> applications/party/webapp/partymgr/party/editcreditcard.ftl which contains
> the following line
>
> <input type="hidden" name="partyId" value="${partyId}"/>
>
> I could be missing something here, but it sure looks like a security risk to
> me. Granted that this ftl is probably designed to be used only for Party
> Manager part of Webtools and not for a "public" application, but even that
> is not a good thing from code reuse point of view.
>
>
>
> Regards,
>
> Vinay Agarwal
>
>
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Users mailing list
>
[hidden email]
>
http://lists.ofbiz.org/mailman/listinfo/users_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users