First of all I would like to thank Andrew for
not only posting the security issues w/ the default admin logins, but for also discretely
contacting us to notify us that one our client’s OFBiz instances still had
the DEMOADMIN enabled. I disabled it and checked on all of my other OFBiz
production sites. I really appreciate the heads-up, helping me to avoid a
potentially embarrassing incident of a malicious user being able to view and
exploit credit card info.
As for the benefits/drawbacks to using free
open-source apps like OFBiz, my experiences have been quite positive. You
might not get step-by-step instructions in responses to your support requests,
but the responses do point you in the right direction. An example is David’s
recent reply to a question I had on volume & performance which directed me
to the stats tool. Through the tool I was able to find the pages that
were not optimized. Eventually, by modifying some of the methods in the
CatalogWorker, the page load times were decreased from an average of several seconds
to a fraction of a second.
So, with the free support you won’t
have someone rolling up their sleeves and digging through your OFBiz
installation, but you will be given the direction to do it yourself. Or,
I’m sure you could pay an OFBiz consultant to do the digging for you like
you would with any commercial support contract.
As for OFBiz in production, a client did
so well in online sales through a regional website that they’ve recently
launched a new nationwide site. They have been extremely impressed with
all of the built-in functionality OFBiz offers, and the flexibility to add and
customize whatever we want. For example they setup dynamic pricing where
a job runs each night, checks each product for the total # of sales in the last
7 days, compares it to the weekly quota defined for that product, then
increments price up or down if needed until it eventually hits the min or max
price for that product. This has saved them countless man hours and has
drastically increased their profitability by allowing them to utilize
demand-based pricing. The beauty is that OFBiz made it so easy to
implement this feature. Just had to add a few fields to the Product
entity, add a couple of new services (love the mini-lang), and setup the
automated scheduling. The site often averages over 1000 OFBiz page hits in
a 15 minute period, and handles hundreds (soon thousands) of orders a
day. Yes, they’re no Amazon, but for a start-up they have been
extremely pleased with OFBiz’s ability to grow with them.
I understand your frustrations, I’ve
experienced my share of them over the years, but I promise that things get
easier and quicker the more familiar you become with OFBiz and how it
works. If you’ve already decided that OFBiz is not for you, best
wishes for whatever platform you end up going with.
Thank you sir!
sterling
From: Andrew Dupa
[mailto:
Sent: Thursday, February 16, 2006
11:38 AM
To:
Subject: Re: [OFBiz] Users -
Security
before you kick me off here....I think some of you should be kicked off
for the same reasons...your attitude is as bad if not worse than mine.
so let's just recap on the two experiences I had with the 'users' list
of ofbiz. remember users, those people you belittle
I asked about a known problem with the JOB SAndbox table and was told
that i could delete records form the database. really wow!!! You guys are so
smart, can you be more specific please?. I was then told that my clean up
wasn't running, please be as vague as you can. I'm only trying to get a
production system back up and running here, it's not costing you money i know
but someone has to pay in the end. Clowns. People like you get fired from my
company
I've read some threads here and all I hear is check out the latest code
- wtf - have you lost your mind - do you know how to run a production system?
I tell you that I have worked out how to crack a password on ofbiz, any
basic statistics/maths/computer science knowledge will tell you it's not as
hard as it should be.
So at the end of the day in my day job I'm about the ship a major product build
on open source software that most of you probably use everyday (no it's not
built on ofbiz, there's no way unless I regression tested the hell out of it
would I put my name on it) Dealing with them is amazong, dealing with you guys
is a joke.
So although I may have a big ego and be a bit blunt I think you all
need to take a good hard look at yourself and how you treat the end users of
the system. How you answer questions If you want your clicky little
club then you are not going to attract the kind of developer to work on this
that can help you out of your mess and become a major open source player. But
then again it's amatuer hour here. I think you'll be gone in 2 years. I'd put
money on it.
Good luck
...code and fix code and fix code and fix...code and fix...we're so
smart....code and fix....check it in...testing is for losers
On 2/15/06, BJ
Freeman <[hidden email]>
wrote:
and I thought I had an Ego. LOL
Andrew Dupa sent the following on 2/15/06 10:32 AM:
> How secure is Ofbiz?
>
> Am I the only one concerned about the security holes? I would happily
detail
> those that i found but not publically on the list for those poor soles
still
> using it. I'm pulling my site immediately and moving to another platform.
>
> Oh and by the way if you're using a production site make sure you change
all
> the admin, demoadmin passwords you wouldn't belive how many I found that
> didn't on your end users list.
>
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
| Free forum by Nabble | Edit this page |