You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Deepak Dixit (Jira)" <ji...@apache.org> on 2020/10/22 11:02:00 UTC
[jira] [Commented] (OFBIZ-12043) Host Header Injection still
present on present release
[ https://issues.apache.org/jira/browse/OFBIZ-12043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17218925#comment-17218925 ]
Deepak Dixit commented on OFBIZ-12043:
--------------------------------------
Hi MrR3Boot,
This is not an issue, you need to configure the allowed header in security.property[1] file.
By default following following host are configured, as per need user need to add valid host header
host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
[1] https://github.com/apache/ofbiz-framework/blob/trunk/framework/security/config/security.properties#L157
> Host Header Injection still present on present release
> ------------------------------------------------------
>
> Key: OFBIZ-12043
> URL: https://issues.apache.org/jira/browse/OFBIZ-12043
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: 17.12.04
> Reporter: MrR3boot
> Assignee: Deepak Dixit
> Priority: Major
> Labels: security
>
> It look like CVE-2019-12425 is not properly fixed in the 17.12.0.4 release. I can login to the application by changing host header to 127.0.0.1 and can access other applications.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)