You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ofbiz.apache.org by Joseph Francois <jo...@gmail.com> on 2020/05/03 10:23:07 UTC

Re: [CVE-2019-12425] Apache OFBiz Host Header Injection

Hello Jacques,

I installed 17.12.03 from scratch and I still get  "

: Domain x.x.x.x not accepted to prevent host header injection"

What am I doing wrong?

I have version 16 working.

Regards,
Joseph
On 2020/04/30 12:11:13, Jacques Le Roux <ja...@les7arts.com>
wrote:
> Severity:
> Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> OFBiz 17.12.01
>
> Description:
> Apache OFBiz is vulnerable to Host header injection by accepting
arbitrary hosts
>
> Mitigation:
> Upgrade to 17.12.03 or manually apply the commit at OFBIZ-11583
> ----
>
> Credit:
> Pradeep Jairamani <pr...@gmail.com>
>
> References:
> https://ofbiz.apache.org/security.html
>
>

Re: [CVE-2019-12425] Apache OFBiz Host Header Injection

Posted by Jacques Le Roux <ja...@les7arts.com>.

Thanks Deepak,

And please Joseph Francois, your message has been moderated, else it would not have reach this Mailing List.

Please subscribe to the user ML for such questions and then use your email client.
See why here http://ofbiz.apache.org/mailing-lists.html.

You will get a better support, people can answer you on the ML.
The wider the audience the better the answers you might get.

Also it's more work for moderators who have to accept your messages as long as you have not subscribed.
I'll personally no longer accept them and this is really the last time(other moderators still could).

Thanks

Jacques

Le 04/05/2020 à 11:53, Deepak Dixit a écrit :
> Hi Joseph Francois,
>
> Please check the security.properties file and add your host
> in host-headers-allowed property.
> Please refer [1] for more detail.
>
>
> [1] https://issues.apache.org/jira/browse/OFBIZ-11583
>
>
> Thanks & Regards
> --
> Deepak Dixit
> ofbiz.apache.org
>
>
> On Mon, May 4, 2020 at 3:19 PM Joseph Francois <jo...@gmail.com>
> wrote:
>
>> Hello Jacques,
>>
>> I installed 17.12.03 from scratch and I still get  "
>>
>> : Domain x.x.x.x not accepted to prevent host header injection"
>>
>> What am I doing wrong?
>>
>> I have version 16 working.
>>
>> Regards,
>> Joseph
>> On 2020/04/30 12:11:13, Jacques Le Roux <ja...@les7arts.com>
>> wrote:
>>> Severity:
>>> Important
>>>
>>> Vendor:
>>> The Apache Software Foundation
>>>
>>> Versions Affected:
>>> OFBiz 17.12.01
>>>
>>> Description:
>>> Apache OFBiz is vulnerable to Host header injection by accepting
>> arbitrary hosts
>>> Mitigation:
>>> Upgrade to 17.12.03 or manually apply the commit at OFBIZ-11583
>>> ----
>>>
>>> Credit:
>>> Pradeep Jairamani <pr...@gmail.com>
>>>
>>> References:
>>> https://ofbiz.apache.org/security.html
>>>
>>>

Re: [CVE-2019-12425] Apache OFBiz Host Header Injection

Posted by Deepak Dixit <de...@apache.org>.

+joefrancois@gmail.com
Thanks & Regards
--
Deepak Dixit
ofbiz.apache.org


On Mon, May 4, 2020 at 3:23 PM Deepak Dixit <de...@apache.org> wrote:

> Hi Joseph Francois,
>
> Please check the security.properties file and add your host
> in host-headers-allowed property.
> Please refer [1] for more detail.
>
>
> [1] https://issues.apache.org/jira/browse/OFBIZ-11583
>
>
> Thanks & Regards
> --
> Deepak Dixit
> ofbiz.apache.org
>
>
> On Mon, May 4, 2020 at 3:19 PM Joseph Francois <jo...@gmail.com>
> wrote:
>
>> Hello Jacques,
>>
>> I installed 17.12.03 from scratch and I still get  "
>>
>> : Domain x.x.x.x not accepted to prevent host header injection"
>>
>> What am I doing wrong?
>>
>> I have version 16 working.
>>
>> Regards,
>> Joseph
>> On 2020/04/30 12:11:13, Jacques Le Roux <ja...@les7arts.com>
>> wrote:
>> > Severity:
>> > Important
>> >
>> > Vendor:
>> > The Apache Software Foundation
>> >
>> > Versions Affected:
>> > OFBiz 17.12.01
>> >
>> > Description:
>> > Apache OFBiz is vulnerable to Host header injection by accepting
>> arbitrary hosts
>> >
>> > Mitigation:
>> > Upgrade to 17.12.03 or manually apply the commit at OFBIZ-11583
>> > ----
>> >
>> > Credit:
>> > Pradeep Jairamani <pr...@gmail.com>
>> >
>> > References:
>> > https://ofbiz.apache.org/security.html
>> >
>> >
>>
>

Re: [CVE-2019-12425] Apache OFBiz Host Header Injection

Posted by Deepak Dixit <de...@apache.org>.

Hi Joseph Francois,

Please check the security.properties file and add your host
in host-headers-allowed property.
Please refer [1] for more detail.


[1] https://issues.apache.org/jira/browse/OFBIZ-11583


Thanks & Regards
--
Deepak Dixit
ofbiz.apache.org


On Mon, May 4, 2020 at 3:19 PM Joseph Francois <jo...@gmail.com>
wrote:

> Hello Jacques,
>
> I installed 17.12.03 from scratch and I still get  "
>
> : Domain x.x.x.x not accepted to prevent host header injection"
>
> What am I doing wrong?
>
> I have version 16 working.
>
> Regards,
> Joseph
> On 2020/04/30 12:11:13, Jacques Le Roux <ja...@les7arts.com>
> wrote:
> > Severity:
> > Important
> >
> > Vendor:
> > The Apache Software Foundation
> >
> > Versions Affected:
> > OFBiz 17.12.01
> >
> > Description:
> > Apache OFBiz is vulnerable to Host header injection by accepting
> arbitrary hosts
> >
> > Mitigation:
> > Upgrade to 17.12.03 or manually apply the commit at OFBIZ-11583
> > ----
> >
> > Credit:
> > Pradeep Jairamani <pr...@gmail.com>
> >
> > References:
> > https://ofbiz.apache.org/security.html
> >
> >
>