You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/09/02 08:05:32 UTC

[ofbiz-site] branch master updated: Better and complete description of post-auth attacks refusal

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git


The following commit(s) were added to refs/heads/master by this push:
     new d31243f  Better and complete description of post-auth attacks refusal
d31243f is described below

commit d31243f826b2584b172ee465730cfc427e1d2ddf
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Thu Sep 2 10:05:17 2021 +0200

    Better and complete description of post-auth attacks refusal
---
 security.html                  | 4 +++-
 template/page/security.tpl.php | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/security.html b/security.html
index 4b9dac2..82770ab 100644
--- a/security.html
+++ b/security.html
@@ -130,7 +130,9 @@
             <h2><a id="security"></a>Security Vulnerabilities</h2>
             <div class="divider"><span></span></div>
             <p> <strong> We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum.</strong></p>
-            <p>Note that we no longer create CVEs for post-auth attacks done using the credential demo, notably using the admin user. <a href="https://s.apache.org/dsj2p">Rather create bugs reports in our issue tracker (Jira) for that.</a> The main reason why we no longer create CVEs post-auth attacks done using the credential demo is because <a href="https://ci.apache.org/projects/ofbiz/site/trunk/readme/html5/README.html#security">we highly suggest to OFBiz users to not use credential  [...]
+            <p>Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user. <a href="https://s.apache.org/dsj2p">Rather create bugs reports in our issue tracker (Jira) for that.</a> The main reason why we no longer create CVEs for post-auth attacks done using demo credentials is because <a href="https://ci.apache.org/projects/ofbiz/site/trunk/readme/html5/README.html#security">we highly suggest to OFBiz users to not use credentials d [...]
+            <p>We also reject post-auth vulnerabilities because we have a solid CSRF defense. Except in specific cases, notably in ecommerce where an user without role or an anonymous user can be used for attacks.</p>
+            
             <p>Please see the  <a href="https://www.apache.org/security" target="external">ASF Security Team webpage</a> for further information about reporting a security vulnerability as well as their contact information. </p>
             <p>You might be interested by our <a href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure" target="external">Keeping OFBiz secure wiki page.</a></p>
  
diff --git a/template/page/security.tpl.php b/template/page/security.tpl.php
index 5fccda2..68ac16c 100644
--- a/template/page/security.tpl.php
+++ b/template/page/security.tpl.php
@@ -19,7 +19,9 @@
             <h2><a id="security"></a>Security Vulnerabilities</h2>
             <div class="divider"><span></span></div>
             <p> <strong> We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum.</strong></p>
-            <p>Note that we no longer create CVEs for post-auth attacks done using the credential demo, notably using the admin user. <a href="https://s.apache.org/dsj2p">Rather create bugs reports in our issue tracker (Jira) for that.</a> The main reason why we no longer create CVEs post-auth attacks done using the credential demo is because <a href="https://ci.apache.org/projects/ofbiz/site/trunk/readme/html5/README.html#security">we highly suggest to OFBiz users to not use credential  [...]
+            <p>Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user. <a href="https://s.apache.org/dsj2p">Rather create bugs reports in our issue tracker (Jira) for that.</a> The main reason why we no longer create CVEs for post-auth attacks done using demo credentials is because <a href="https://ci.apache.org/projects/ofbiz/site/trunk/readme/html5/README.html#security">we highly suggest to OFBiz users to not use credentials d [...]
+            <p>We also reject post-auth vulnerabilities because we have a solid CSRF defense. Except in specific cases, notably in ecommerce where an user without role or an anonymous user can be used for attacks.</p>
+            
             <p>Please see the  <a href="https://www.apache.org/security" target="external">ASF Security Team webpage</a> for further information about reporting a security vulnerability as well as their contact information. </p>
             <p>You might be interested by our <a href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure" target="external">Keeping OFBiz secure wiki page.</a></p>