First of all I would
like to thank Andrew for not only posting the security issues w/ the default
admin logins, but for also discretely contacting us to notify us that one our
clients OFBiz instances still had the DEMOADMIN enabled. I disabled it
and checked on all of my other OFBiz production sites. I really
appreciate the heads-up, helping me to avoid a potentially embarrassing
incident of a malicious user being able to view and exploit credit card
info.
As for the
benefits/drawbacks to using free open-source apps like OFBiz, my experiences
have been quite positive. You might not get step-by-step instructions in
responses to your support requests, but the responses do point you in the
right direction. An example is Davids recent reply to a question I had
on volume & performance which directed me to the stats tool. Through
the tool I was able to find the pages that were not optimized.
Eventually, by modifying some of the methods in the CatalogWorker, the page
load times were decreased from an average of several seconds to a fraction of
a second.
So, with the free
support you wont have someone rolling up their sleeves and digging through
your OFBiz installation, but you will be given the direction to do it
yourself. Or, Im sure you could pay an OFBiz consultant to do the
digging for you like you would with any commercial support
contract.
As for OFBiz in
production, a client did so well in online sales through a regional website
that theyve recently launched a new nationwide site. They have been
extremely impressed with all of the built-in functionality OFBiz offers, and
the flexibility to add and customize whatever we want. For example they
setup dynamic pricing where a job runs each night, checks each product for the
total # of sales in the last 7 days, compares it to the weekly quota defined
for that product, then increments price up or down if needed until it
eventually hits the min or max price for that product. This has saved
them countless man hours and has drastically increased their profitability by
allowing them to utilize demand-based pricing. The beauty is that OFBiz
made it so easy to implement this feature. Just had to add a few fields
to the Product entity, add a couple of new services (love the mini-lang), and
setup the automated scheduling. The site often averages over 1000 OFBiz
page hits in a 15 minute period, and handles hundreds (soon thousands) of
orders a day. Yes, theyre no Amazon, but for a start-up they have been
extremely pleased with OFBizs ability to grow with
them.
I understand your
frustrations, Ive experienced my share of them over the years, but I promise
that things get easier and quicker the more familiar you become with OFBiz and
how it works. If youve already decided that OFBiz is not for you, best
wishes for whatever platform you end up going
with.
Thank you
sir!
sterling
From: Andrew
Dupa [mailto:[hidden email]]
Sent: Thursday, February 16,
2006 11:38 AM
To:
OFBiz Users / Usage
Discussion
Subject: Re: [OFBiz] Users -
Security
before you kick me off here....I think some of you
should be kicked off for the same reasons...your attitude is as bad if not
worse than mine.
so let's just recap on the two experiences I had with
the 'users' list of ofbiz. remember users, those people you
belittle
I asked about a known problem with the JOB SAndbox
table and was told that i could delete records form the database. really
wow!!! You guys are so smart, can you be more specific please?. I was then
told that my clean up wasn't running, please be as vague as you can. I'm only
trying to get a production system back up and running here, it's not costing
you money i know but someone has to pay in the end. Clowns. People like you
get fired from my company
I've read some threads here and all I hear is check
out the latest code - wtf - have you lost your mind - do you know how to run a
production system?
I tell you that I have worked out how to crack a
password on ofbiz, any basic statistics/maths/computer science knowledge will
tell you it's not as hard as it should be.
So at the end of the day in my day job I'm about
the ship a major product build on open source software that most of you
probably use everyday (no it's not built on ofbiz, there's no way unless I
regression tested the hell out of it would I put my name on it) Dealing with
them is amazong, dealing with you guys is a joke.
So although I may have a big ego and be a bit blunt I
think you all need to take a good hard look at yourself and how you treat the
end users of the system. How you answer questions If you want your
clicky little club then you are not going to attract the kind of developer to
work on this that can help you out of your mess and become a major open source
player. But then again it's amatuer hour here. I think you'll be gone in 2
years. I'd put money on it.
...code and fix code and fix code and fix...code and
fix...we're so smart....code and fix....check it in...testing is for
losers
On 2/15/06, BJ Freeman <[hidden email]>
wrote:
and I thought I had an Ego. LOL
Andrew Dupa
sent the following on 2/15/06 10:32 AM:
> How secure is Ofbiz?
>
> Am I the only one concerned about the security holes? I would
happily detail
> those that i found but not publically on the list for
those poor soles still
> using it. I'm pulling my site immediately and
moving to another platform.
>
> Oh and by the way if you're using
a production site make sure you change all
> the admin, demoadmin
passwords you wouldn't belive how many I found that
> didn't on your end
users list.
>
>
>
>
------------------------------------------------------------------------
>
>
>
_______________________________________________
> Users mailing
list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
_______________________________________________
Users
mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users