You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Sonali Agrahari <so...@gmail.com> on 2018/04/16 04:08:07 UTC
How to resolve CSRF attack
Hello all,
I am using OFBiz 12.04 version in my application.
When logged in to the application as admin user and open web mail in
another browser , suppose we received a mail which have link
http://xyz.com/activate.html .
The links points to html file as :
<html>
<head>
</head>
<body>
<form action =
"https://localhost:8443/catalog/control/CreateProductCategory" name = "f1"
id = "f1" method = "post">
<input type = "hidden" name = "sectorName" id = "sectorName" value =
"SECTOR" >
<input type = "hidden" name = "productName" id = "productName" value =
"PRODUCT" >
</form>
</body>
</html>
The user clicks on this link while he has logged on to the application. As
the crafted form is doing a post request in a valid session, the requested
post gets executed and result will be displayed i.e. all values will be
inserted in database properly.
And the link gets opened in other tab of same browser.
How can resolve this type of vulnerability.
Kindly help.
Thanks & regards
Sonali
--
Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
Re: How to resolve CSRF attack
Posted by Chris Clark <ri...@gmail.com>.
Ahh ok makes sense, you know to first sign up for the list serv before you
hit it up xD...
On Tue, Apr 17, 2018, 4:27 AM Jacques Le Roux, <ja...@les7arts.com>
wrote:
> It means that the person sends a message to the ML w/o being subscribed to
> it. So we (moderators) have to allow this message to pass.
>
> Jacques
>
>
> Le 17/04/2018 à 04:49, Chris Clark a écrit :
> > What does yoyr message has been moderated mean?
> >
> > On Mon, Apr 16, 2018, 3:00 AM Sonali Agrahari, <
> sonaliagrahari8@gmail.com>
> > wrote:
> >
> >> Hello all,
> >>
> >> I am using OFBiz 12.04 version in my application.
> >> When logged in to the application as admin user and open web mail in
> >> another browser , suppose we received a mail which have link
> >> http://xyz.com/activate.html .
> >> The links points to html file as :
> >>
> >> <html>
> >> <head>
> >>
> >> </head>
> >> <body>
> >> <form action =
> >> "https://localhost:8443/catalog/control/CreateProductCategory" name =
> "f1"
> >> id = "f1" method = "post">
> >> <input type = "hidden" name = "sectorName" id = "sectorName"
> value =
> >> "SECTOR" >
> >> <input type = "hidden" name = "productName" id = "productName"
> value
> >> =
> >> "PRODUCT" >
> >> </form>
> >>
> >> </body>
> >> </html>
> >>
> >> The user clicks on this link while he has logged on to the application.
> As
> >> the crafted form is doing a post request in a valid session, the
> requested
> >> post gets executed and result will be displayed i.e. all values will be
> >> inserted in database properly.
> >> And the link gets opened in other tab of same browser.
> >>
> >> How can resolve this type of vulnerability.
> >> Kindly help.
> >>
> >>
> >> Thanks & regards
> >> Sonali
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
> >>
>
>
Re: How to resolve CSRF attack
Posted by Jacques Le Roux <ja...@les7arts.com>.
It means that the person sends a message to the ML w/o being subscribed to it. So we (moderators) have to allow this message to pass.
Jacques
Le 17/04/2018 à 04:49, Chris Clark a écrit :
> What does yoyr message has been moderated mean?
>
> On Mon, Apr 16, 2018, 3:00 AM Sonali Agrahari, <so...@gmail.com>
> wrote:
>
>> Hello all,
>>
>> I am using OFBiz 12.04 version in my application.
>> When logged in to the application as admin user and open web mail in
>> another browser , suppose we received a mail which have link
>> http://xyz.com/activate.html .
>> The links points to html file as :
>>
>> <html>
>> <head>
>>
>> </head>
>> <body>
>> <form action =
>> "https://localhost:8443/catalog/control/CreateProductCategory" name = "f1"
>> id = "f1" method = "post">
>> <input type = "hidden" name = "sectorName" id = "sectorName" value =
>> "SECTOR" >
>> <input type = "hidden" name = "productName" id = "productName" value
>> =
>> "PRODUCT" >
>> </form>
>>
>> </body>
>> </html>
>>
>> The user clicks on this link while he has logged on to the application. As
>> the crafted form is doing a post request in a valid session, the requested
>> post gets executed and result will be displayed i.e. all values will be
>> inserted in database properly.
>> And the link gets opened in other tab of same browser.
>>
>> How can resolve this type of vulnerability.
>> Kindly help.
>>
>>
>> Thanks & regards
>> Sonali
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>>
Re: How to resolve CSRF attack
Posted by Chris Clark <ri...@gmail.com>.
What does yoyr message has been moderated mean?
On Mon, Apr 16, 2018, 3:00 AM Sonali Agrahari, <so...@gmail.com>
wrote:
> Hello all,
>
> I am using OFBiz 12.04 version in my application.
> When logged in to the application as admin user and open web mail in
> another browser , suppose we received a mail which have link
> http://xyz.com/activate.html .
> The links points to html file as :
>
> <html>
> <head>
>
> </head>
> <body>
> <form action =
> "https://localhost:8443/catalog/control/CreateProductCategory" name = "f1"
> id = "f1" method = "post">
> <input type = "hidden" name = "sectorName" id = "sectorName" value =
> "SECTOR" >
> <input type = "hidden" name = "productName" id = "productName" value
> =
> "PRODUCT" >
> </form>
>
> </body>
> </html>
>
> The user clicks on this link while he has logged on to the application. As
> the crafted form is doing a post request in a valid session, the requested
> post gets executed and result will be displayed i.e. all values will be
> inserted in database properly.
> And the link gets opened in other tab of same browser.
>
> How can resolve this type of vulnerability.
> Kindly help.
>
>
> Thanks & regards
> Sonali
>
>
>
>
>
>
>
>
>
> --
> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>
Re: How to resolve CSRF attack
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Paul,
I tried hard to use it 9 months ago but did not succeed.
I even then inadvertently committed my then WIP work and then removed it at http://svn.apache.org/viewvc?view=revision&revision=1799243
I also tried the Tomcat RestCsrfPreventionFilter see my comment in OFBIZ-6766 at https://s.apache.org/ndCd
------------------------------------------------------------------------------------------------------------------------------------------------------
BTW (loosely related) when I worked on Ajax+JWT+CORS (OFBIZ-10307) I tried to use the Tomcat CORS Filter
<https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter> but finally gave up.
It's maybe possible to use these filters the right way.
But like I did for securing cookies (OFBIZ-6655 https://s.apache.org/4bnJ http://svn.apache.org/viewvc?view=revision&revision=1809687) I prefer to
handle it in our code and not depends on Tomcat for that.
YMMV
Sorry for he plain links in text, I have no time to play with [#] link stuff :)
Jacques
Le 17/04/2018 à 02:53, Paul Foxworthy a écrit :
> Hi Michael,
>
> I would say it is a vulnerability. OFBiz could make this distinction if we
> add a hidden field to each form with a unique hash, and verify the hash is
> correct when processing a POST. A spoofed form wouldn't have the right hash.
>
> We are already using some of the OWASP (Open Web Application Security
> Project, owasp.org) classes. They also have a library for CSRF prevention:
> https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project . Would
> this be useful?
>
> Cheers
>
> Paul Foxworthy
>
> On 16 April 2018 at 19:22, Michael Brohl <mi...@ecomify.de> wrote:
>
>> Hi Sonali,
>>
>> this is not a vulnerability.
>>
>> You are logged in and posting a request from the same browser with the
>> same session. There is no chance for OFBiz to make a distiction between a
>> request initiated from an OFBiz generated page or any other page (like your
>> webmail) from the same browser/session.
>>
>> Regards,
>>
>> Michael
>>
>>
>> Am 16.04.18 um 06:08 schrieb Sonali Agrahari:
>>
>> Hello all,
>>> I am using OFBiz 12.04 version in my application.
>>> When logged in to the application as admin user and open web mail in
>>> another browser , suppose we received a mail which have link
>>> http://xyz.com/activate.html .
>>> The links points to html file as :
>>>
>>> <html>
>>> <head>
>>> </head>
>>> <body>
>>> <form action =
>>> "https://localhost:8443/catalog/control/CreateProductCategory" name =
>>> "f1"
>>> id = "f1" method = "post">
>>> <input type = "hidden" name = "sectorName" id = "sectorName" value =
>>> "SECTOR" >
>>> <input type = "hidden" name = "productName" id = "productName"
>>> value =
>>> "PRODUCT" >
>>> </form>
>>>
>>> </body>
>>> </html>
>>>
>>> The user clicks on this link while he has logged on to the application. As
>>> the crafted form is doing a post request in a valid session, the requested
>>> post gets executed and result will be displayed i.e. all values will be
>>> inserted in database properly.
>>> And the link gets opened in other tab of same browser.
>>>
>>> How can resolve this type of vulnerability.
>>> Kindly help.
>>>
>>>
>>> Thanks & regards
>>> Sonali
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>>>
>>
>>
>
Re: How to resolve CSRF attack
Posted by Paul Foxworthy <pa...@cohsoft.com.au>.
Hi Michael,
I would say it is a vulnerability. OFBiz could make this distinction if we
add a hidden field to each form with a unique hash, and verify the hash is
correct when processing a POST. A spoofed form wouldn't have the right hash.
We are already using some of the OWASP (Open Web Application Security
Project, owasp.org) classes. They also have a library for CSRF prevention:
https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project . Would
this be useful?
Cheers
Paul Foxworthy
On 16 April 2018 at 19:22, Michael Brohl <mi...@ecomify.de> wrote:
> Hi Sonali,
>
> this is not a vulnerability.
>
> You are logged in and posting a request from the same browser with the
> same session. There is no chance for OFBiz to make a distiction between a
> request initiated from an OFBiz generated page or any other page (like your
> webmail) from the same browser/session.
>
> Regards,
>
> Michael
>
>
> Am 16.04.18 um 06:08 schrieb Sonali Agrahari:
>
> Hello all,
>>
>> I am using OFBiz 12.04 version in my application.
>> When logged in to the application as admin user and open web mail in
>> another browser , suppose we received a mail which have link
>> http://xyz.com/activate.html .
>> The links points to html file as :
>>
>> <html>
>> <head>
>> </head>
>> <body>
>> <form action =
>> "https://localhost:8443/catalog/control/CreateProductCategory" name =
>> "f1"
>> id = "f1" method = "post">
>> <input type = "hidden" name = "sectorName" id = "sectorName" value =
>> "SECTOR" >
>> <input type = "hidden" name = "productName" id = "productName"
>> value =
>> "PRODUCT" >
>> </form>
>>
>> </body>
>> </html>
>>
>> The user clicks on this link while he has logged on to the application. As
>> the crafted form is doing a post request in a valid session, the requested
>> post gets executed and result will be displayed i.e. all values will be
>> inserted in database properly.
>> And the link gets opened in other tab of same browser.
>>
>> How can resolve this type of vulnerability.
>> Kindly help.
>>
>>
>> Thanks & regards
>> Sonali
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>>
>
>
>
--
Coherent Software Australia Pty Ltd
PO Box 2773
Cheltenham Vic 3192
Australia
Phone: +61 3 9585 6788
Web: http://www.coherentsoftware.com.au/
Email: info@coherentsoftware.com.au
Re: How to resolve CSRF attack
Posted by Michael Brohl <mi...@ecomify.de>.
Hi Sonali,
this is not a vulnerability.
You are logged in and posting a request from the same browser with the
same session. There is no chance for OFBiz to make a distiction between
a request initiated from an OFBiz generated page or any other page (like
your webmail) from the same browser/session.
Regards,
Michael
Am 16.04.18 um 06:08 schrieb Sonali Agrahari:
> Hello all,
>
> I am using OFBiz 12.04 version in my application.
> When logged in to the application as admin user and open web mail in
> another browser , suppose we received a mail which have link
> http://xyz.com/activate.html .
> The links points to html file as :
>
> <html>
> <head>
>
> </head>
> <body>
> <form action =
> "https://localhost:8443/catalog/control/CreateProductCategory" name = "f1"
> id = "f1" method = "post">
> <input type = "hidden" name = "sectorName" id = "sectorName" value =
> "SECTOR" >
> <input type = "hidden" name = "productName" id = "productName" value =
> "PRODUCT" >
> </form>
>
> </body>
> </html>
>
> The user clicks on this link while he has logged on to the application. As
> the crafted form is doing a post request in a valid session, the requested
> post gets executed and result will be displayed i.e. all values will be
> inserted in database properly.
> And the link gets opened in other tab of same browser.
>
> How can resolve this type of vulnerability.
> Kindly help.
>
>
> Thanks & regards
> Sonali
>
>
>
>
>
>
>
>
>
> --
> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
Re: How to resolve CSRF attack
Posted by Jacques Le Roux <ja...@Les7Arts.com>.
Hi Sonali,
Your last email has been moderated again
http://ofbiz.135035.n4.nabble.com/MODERATE-EMAIL-How-to-resolve-CSRF-attack-td4721783.html
The 1st one being https://markmail.org/message/jmkabexchsb7cvl2 4 months
ago.
Please, as Nabble also suggests you, consider to subscribe to the user ML
http://ofbiz.apache.org/mailing-lists.html.
You will get a better support, it's more fair to share with everybody there
and it's less work for moderators (thanks Deepak).
The wider the audience the better the answers you might get!
Thanks
This said, when I'll get a chance I'll try to answer you. But you should
know that OFBiz 12.04 is no longer supported (it's 6 years old) so it's
possible that this issue is fixed in newer releases but has not been
backported in 12.04. The last supported release is 16.11.04
https://ofbiz.apache.org/download.html
Hope this helps while waiting for a better answer (again subscribing will
help ;))
Jacques
--
Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html