Security Related Issues in OFBiz

["vivek.mi" <vm...@gmail.com>]

Hello All,

A few issues were reported while testing my application using IBM AppScan
tool, built upon OFBiz framework for Blackbox testing. Issues are listed as
below:

1. Unsafe third-party link (target="_blank") in screens and forms.
    
2. Query Parameter in SSL Request while sending hidden fields in XML and FTL
forms.

3. Body Parameters Accepted in Query

4. Archive File Download

5. Cacheable SSL Page Found

Please suggest something how can i go ahead to resolve these issues. I am
using OFBiz version 12.05.

Thanks in advance,
Vivek Mishra



-----
Vivek Mishra
--
Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html

Re: Security Related Issues in OFBiz

[Jacopo Cappellato <ja...@hotwaxsystems.com>]

Hi Vivek,

the best way to go is to use a release that is part of a release branch
that is still actively maintained:

https://ofbiz.apache.org/download.html

Security vulnerabilities on active branches should be reported to the OFBiz
security list: security@ofbiz.apache.org

Thank you,

Jacopo


On Tue, Dec 19, 2017 at 6:40 AM, vivek.mi <vm...@gmail.com> wrote:

> Hello All,
>
> A few issues were reported while testing my application using IBM AppScan
> tool, built upon OFBiz framework for Blackbox testing. Issues are listed as
> below:
>
> 1. Unsafe third-party link (target="_blank") in screens and forms.
>
> 2. Query Parameter in SSL Request while sending hidden fields in XML and
> FTL
> forms.
>
> 3. Body Parameters Accepted in Query
>
> 4. Archive File Download
>
> 5. Cacheable SSL Page Found
>
> Please suggest something how can i go ahead to resolve these issues. I am
> using OFBiz version 12.05.
>
> Thanks in advance,
> Vivek Mishra
>
>
>
> -----
> Vivek Mishra
> --
> Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
>