OFBiz OFBiz - User

Re: Users - Hidden partyId - Security Risk?

Posted by Vinay Agarwal on
URL: http://ofbiz.116.s1.nabble.com/Users-Hidden-partyId-Security-Risk-tp137366p137379.html

Another similar case in applications/ecommerce/webapp/ecommerce/customer/editcreditcard.ftl which contains

        <input type="hidden" name="paymentMethodId" value="${paymentMethodId}">

And this application is designed for public use. What am I missing here?

 

Regards,

Vinay Agarwal

 

-----Original Message-----
From: Vinay Agarwal [mailto:[hidden email]]
Sent: Friday, February 10, 2006 8:17 AM
To: 'OFBiz Users / Usage Discussion'
Subject: Hidden partyId - Security Risk?

 

Hello,

 

While going through credit card entry ftl’s, I came across applications/party/webapp/partymgr/party/editcreditcard.ftl which contains the following line

<input type="hidden" name="partyId" value="${partyId}"/>

I could be missing something here, but it sure looks like a security risk to me. Granted that this ftl is probably designed to be used only for Party Manager part of Webtools and not for a “public” application, but even that is not a good thing from code reuse point of view.

 

Regards,

Vinay Agarwal


 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Free forum by Nabble Edit this page