> 1. What could be done with it?
>
> Let’s take example of
> applications/ecommerce/webapp/ecommerce/customer/editcreditcard.ftl
> file. One could save the html page to local disk. Then one could
> change the ${paymentMethodId} value using a text editor and post the
> page back. If the security checks don’t catch this, this will have
> effect of a user get ability to modify paymentMethods that do not
> belong to him/her.
>
> 2. Does the security check catch it? I am not sure if it catches it.
> Here are the details.
>
> updateCreditCard service is called which calls
>
> ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context,
> result, "PAY_INFO", "_UPDATE");
>
> This checks whether partyId in the incoming map matches the partyId of
> the userLogin. After that, it is calling
>
> if (!security.hasEntityPermission(secEntity, secOperation, userLogin)) {
>
> This function is defined in
> framework/security/src/org/ofbiz/security/OFBizSecurity.java.
>
> It checks for group permissions but I don’t know enough to tell
> whether it does or does not catch this.
>
> Regards,
>
> Vinay Agarwal
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of bjfree
> Sent: Friday, February 10, 2006 9:39 AM
> To: OFBiz Users / Usage Discussion
> Subject: Re: [OFBiz] Users - Hidden partyId - Security Risk?
>
> both of those are ofbiz Id's without the corresponding data, in the
>
> database, this is useless information.
>
> if some tried to post this to ofbiz, they would run into the
>
> certificate, then User privileges, the Security before any information
>
> would be revealed about the cc.
>
> The information, since ver 3.1, is encrypted in the DB so it would be
>
> difficult, or impossible to retrieve such data.
>
> I believe it would pass a security audit.
>
> Vinay Agarwal sent the following on 2/10/06 8:23 AM:
>
>> Another similar case in
>
>> applications/ecommerce/webapp/ecommerce/customer/editcreditcard.ftl which
>
>> contains
>
>>
>
>> <input type="hidden" name="paymentMethodId"
>
>> value="${paymentMethodId}">
>
>>
>
>> And this application is designed for public use. What am I missing here?
>
>>
>
>>
>
>>
>
>> Regards,
>
>>
>
>> Vinay Agarwal
>
>>
>
>>
>
>>
>
>> -----Original Message-----
>
>> From: Vinay Agarwal [mailto:[hidden email]]
>
>> Sent: Friday, February 10, 2006 8:17 AM
>
>> To: 'OFBiz Users / Usage Discussion'
>
>> Subject: Hidden partyId - Security Risk?
>
>>
>
>>
>
>>
>
>> Hello,
>
>>
>
>>
>
>>
>
>> While going through credit card entry ftl's, I came across
>
>> applications/party/webapp/partymgr/party/editcreditcard.ftl which
> contains
>
>> the following line
>
>>
>
>> <input type="hidden" name="partyId" value="${partyId}"/>
>
>>
>
>> I could be missing something here, but it sure looks like a security
> risk to
>
>> me. Granted that this ftl is probably designed to be used only for Party
>
>> Manager part of Webtools and not for a "public" application, but even
> that
>
>> is not a good thing from code reuse point of view.
>
>>
>
>>
>
>>
>
>> Regards,
>
>>
>
>> Vinay Agarwal
>
>>
>
>>
>
>>
>
>>
>
>> ------------------------------------------------------------------------
>
>>
>
>>
>
>> _______________________________________________
>
>> Users mailing list
>
>> [hidden email]
>
>> http://lists.ofbiz.org/mailman/listinfo/users
>
> _______________________________________________
>
> Users mailing list
>
> [hidden email]
>
> http://lists.ofbiz.org/mailman/listinfo/users
>
>------------------------------------------------------------------------
>
>
>_______________________________________________
>Users mailing list
>[hidden email]
>http://lists.ofbiz.org/mailman/listinfo/users
>