1.      What could be done with it?

Let’s take example of applications/ecommerce/webapp/ecommerce/customer/editcreditcard.ftl file. One could save the html page to local disk. Then one could change the ${paymentMethodId} value using a text editor and post the page back. If the security checks don’t catch this, this will have effect of a user get ability to modify paymentMethods that do not belong to him/her.

2.      Does the security check catch it? I am not sure if it catches it. Here are the details.

updateCreditCard service is called which calls

ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context, result, "PAY_INFO", "_UPDATE");

This checks whether partyId in the incoming map matches the partyId of the userLogin. After that, it is calling

  if (!security.hasEntityPermission(secEntity, secOperation, userLogin)) {

This function is defined in framework/security/src/org/ofbiz/security/OFBizSecurity.java.

It checks for group permissions but I don’t know enough to tell whether it does or does not catch this.

Regards,

Vinay Agarwal

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of bjfree
Sent: Friday, February 10, 2006 9:39 AM
To: OFBiz Users / Usage Discussion
Subject: Re: [OFBiz] Users - Hidden partyId - Security Risk?

both of those are ofbiz Id's without the corresponding data, in the

database, this is useless information.

if some tried to post this to ofbiz, they would run into the

certificate, then User privileges, the Security before any information

would be revealed about the cc.

The information, since ver 3.1, is encrypted in the DB so it would be

difficult, or impossible to retrieve such data.

I believe it would pass a security audit.

Vinay Agarwal sent the following on 2/10/06 8:23 AM:

> Another similar case in

> applications/ecommerce/webapp/ecommerce/customer/editcreditcard.ftl which

> contains

>

>         <input type="hidden" name="paymentMethodId"

> value="${paymentMethodId}">

>

> And this application is designed for public use. What am I missing here?

>

> 

>

> Regards,

>

> Vinay Agarwal

>

> 

>

> -----Original Message-----

> From: Vinay Agarwal [mailto:[hidden email]]

> Sent: Friday, February 10, 2006 8:17 AM

> To: 'OFBiz Users / Usage Discussion'

> Subject: Hidden partyId - Security Risk?

>

> 

>

> Hello,

>

> 

>

> While going through credit card entry ftl's, I came across

> applications/party/webapp/partymgr/party/editcreditcard.ftl which contains

> the following line

>

> <input type="hidden" name="partyId" value="${partyId}"/>

>

> I could be missing something here, but it sure looks like a security risk to

> me. Granted that this ftl is probably designed to be used only for Party

> Manager part of Webtools and not for a "public" application, but even that

> is not a good thing from code reuse point of view.

>

> 

>

> Regards,

>

> Vinay Agarwal

>

>

>

>

> ------------------------------------------------------------------------

>

> 

> _______________________________________________

> Users mailing list

> [hidden email]

> http://lists.ofbiz.org/mailman/listinfo/users

_______________________________________________

Users mailing list

[hidden email]

http://lists.ofbiz.org/mailman/listinfo/users