You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Boris Hamanov <bs...@gmail.com> on 2012/04/03 21:44:54 UTC
Dangerous security hole?
This one is in ecommerce controller.xml
<request-map uri="getConfigDetailsEvent">
<security https="false" auth="false"/>
<event type="jsonjava" path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="getConfigDetailsEvent"/>
<response name="success" type="none"/>
<response name="error" type="none"/>
</request-map>
I believe it is very severe security thread as it does not require authentication and returns the session amongst many other things:
{"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper is null"}
Re: Dangerous security hole?
Posted by Mike <mz...@gmail.com>.
That is just your own session. I first tried the second link and it
returned no session information. The only thing that is questionable (or
useful to hackers) is the fact that it returns the physical path of the
ofbiz instance (i.e. /home/ofbiz/branch9/... etc), which isn't great.
On Thu, Apr 5, 2012 at 11:59 AM, Boris Hamanov <bs...@gmail.com> wrote:
> Just do
>
> 1. https://demo-old.ofbiz.apache.**org/ecommerce/control/**
> viewSimpleContent<https://demo-old.ofbiz.apache.org/ecommerce/control/viewSimpleContent>
> 2. https://demo-old.ofbiz.apache.**org/ecommerce/control/**
> getConfigDetailsEvent<https://demo-old.ofbiz.apache.org/ecommerce/control/getConfigDetailsEvent>
>
> 3. You get:
> {"targetRequestUri":"/**getConfigDetailsEvent","javax.**
> servlet.request.key_size":256,**"_CONTEXT_ROOT_":"/home/ofbiz/**
> branch9/specialpurpose/**ecommerce/webapp/ecommerce/","**
> javax.servlet.request.ssl_**session":"**E3193F0DADE7779A321E3339D8BC0D**
> 7420B9DB29283CCFFDC3C8782C0B4E**12B9","_SERVER_ROOT_URL_":"htt**
> ps://demo-old.ofbiz.apache.org <https://demo-old.ofbiz.apache.org>**
> ","_CONTROL_PATH_":"/**ecommerce/control","javax.**
> servlet.request.cipher_suite":**"DHE-RSA-AES256-SHA","**thisRequestUri":"*
> *getConfigDetailsEvent","_**ERROR_MESSAGE_":"configWrapper is null"}
>
> 4. Use your imagination :)
>
> -----Original Message----- From: Jacques Le Roux
> Date: 04 април 2012 г. 20:43 ч.
> To: user@ofbiz.apache.org
> Subject: Re: Dangerous security hole?
>
>
> From trunk demo, I get only
> {"targetRequestUri":"/**getConfigDetailsEvent","_**
> CONTEXT_ROOT_":"/home/ofbiz/**trunk/specialpurpose/**
> ecommerce/webapp/ecommerce/","**_FORWARDED_FROM_SERVLET_":**
> true,"_SERVER_ROOT_URL_":"http**://demo-trunk.ofbiz.apache.org<http://demo-trunk.ofbiz.apache.org>
> **","_CONTROL_PATH_":"/**ecommerce/control","**thisRequestUri":"json","_**
> ERROR_MESSAGE_":"configWrapper
> is null"}
>
> Could you reproduce there?
>
> Jacques
>
> From: "Boris Hamanov" <bs...@gmail.com>
> This one is in ecommerce controller.xml
>
> <request-map uri="getConfigDetailsEvent">
> <security https="false" auth="false"/>
> <event type="jsonjava" path="org.ofbiz.order.**shoppingcart.**ShoppingCartEvents"
> invoke="getConfigDetailsEvent"**/>
> <response name="success" type="none"/>
> <response name="error" type="none"/>
> </request-map>
>
> I believe it is very severe security thread as it does not require
> authentication and returns the session amongst many other things:
>
> {"targetRequestUri":"/**ViewSimpleContent","javax.**
> servlet.request.key_size":128,**"_CONTEXT_ROOT_":"C:\\apache-**
> ofbiz-09.04.01\\hot-deploy\\**ofbec\\webapp\\husastore\\","**
> javax.servlet.request.ssl_**session":"**4f7b4cdfbe32ebf5a5017336a8cab9**
> 6cdd23161038c8b0c132fab3cb67d0**1d92","_SERVER_ROOT_URL_":"htt**
> ps://localhost:8443 <https://localhost:8443>","_**
> CONTROL_PATH_":"/husastore/**control","javax.servlet.**
> request.cipher_suite":"TLS_**DHE_RSA_WITH_AES_128_CBC_SHA",**
> "thisRequestUri":"**getConfigDetailsEvent","_**
> ERROR_MESSAGE_":"configWrapper
> is null"}
>
Re: Dangerous security hole?
Posted by Scott Gray <sc...@hotwaxmedia.com>.
The main issue regardless of the URL being hit is that JSON responses return the entire request attribute map. It is IMO a problem that we've always used the request attributes directly to pass data from events to views.
Regards
Scott
On 6/04/2012, at 10:09 AM, Jacques Le Roux wrote:
> OK, you provided links to demo-old.ofbiz which is actually R09.04 (exactly release09.04-1303717)
> But the same is still true in trunk, I checked.
>
> Now, I may be missing something, but I don't see how the javax.servlet.request.ssl_session would exposes any security holes.
> It's not related to the session (jsessionId). Just an Id part of SSL and OFBiz don't use it at all. Hence it's not used in any session related mechanism.
>
> So my answer would be: there is no security hole regarding javax.servlet.request.ssl_session (id) exposed in a json result (the request being protected or not)
>
> Did you have something in mind?
>
> Jacques
>
>
> From: "Boris Hamanov" <bs...@gmail.com>
>> Just do
>>
>> 1. https://demo-old.ofbiz.apache.org/ecommerce/control/viewSimpleContent
>> 2. https://demo-old.ofbiz.apache.org/ecommerce/control/getConfigDetailsEvent
>>
>> 3. You get:
>> {"targetRequestUri":"/getConfigDetailsEvent","javax.servlet.request.key_size":256,"_CONTEXT_ROOT_":"/home/ofbiz/branch9/specialpurpose/ecommerce/webapp/ecommerce/","javax.servlet.request.ssl_session":"E3193F0DADE7779A321E3339D8BC0D7420B9DB29283CCFFDC3C8782C0B4E12B9","_SERVER_ROOT_URL_":"https://demo-old.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","javax.servlet.request.cipher_suite":"DHE-RSA-AES256-SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper
>> is null"}
>>
>> 4. Use your imagination :)
>>
>> -----Original Message----- From: Jacques Le Roux
>> Date: 04 април 2012 г. 20:43 ч.
>> To: user@ofbiz.apache.org
>> Subject: Re: Dangerous security hole?
>>
>> From trunk demo, I get only
>> {"targetRequestUri":"/getConfigDetailsEvent","_CONTEXT_ROOT_":"/home/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/","_FORWARDED_FROM_SERVLET_":true,"_SERVER_ROOT_URL_":"http://demo-trunk.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","thisRequestUri":"json","_ERROR_MESSAGE_":"configWrapper
>> is null"}
>>
>> Could you reproduce there?
>>
>> Jacques
>>
>> From: "Boris Hamanov" <bs...@gmail.com>
>> This one is in ecommerce controller.xml
>>
>> <request-map uri="getConfigDetailsEvent">
>> <security https="false" auth="false"/>
>> <event type="jsonjava" path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="getConfigDetailsEvent"/>
>> <response name="success" type="none"/>
>> <response name="error" type="none"/>
>> </request-map>
>>
>> I believe it is very severe security thread as it does not require authentication and returns the session amongst many other
>> things:
>>
>> {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper
>> is null"}
Re: Dangerous security hole?
Posted by Jacques Le Roux <ja...@les7arts.com>.
OK, you provided links to demo-old.ofbiz which is actually R09.04 (exactly release09.04-1303717)
But the same is still true in trunk, I checked.
Now, I may be missing something, but I don't see how the javax.servlet.request.ssl_session would exposes any security holes.
It's not related to the session (jsessionId). Just an Id part of SSL and OFBiz don't use it at all. Hence it's not used in any
session related mechanism.
So my answer would be: there is no security hole regarding javax.servlet.request.ssl_session (id) exposed in a json result (the
request being protected or not)
Did you have something in mind?
Jacques
From: "Boris Hamanov" <bs...@gmail.com>
> Just do
>
> 1. https://demo-old.ofbiz.apache.org/ecommerce/control/viewSimpleContent
> 2. https://demo-old.ofbiz.apache.org/ecommerce/control/getConfigDetailsEvent
>
> 3. You get:
> {"targetRequestUri":"/getConfigDetailsEvent","javax.servlet.request.key_size":256,"_CONTEXT_ROOT_":"/home/ofbiz/branch9/specialpurpose/ecommerce/webapp/ecommerce/","javax.servlet.request.ssl_session":"E3193F0DADE7779A321E3339D8BC0D7420B9DB29283CCFFDC3C8782C0B4E12B9","_SERVER_ROOT_URL_":"https://demo-old.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","javax.servlet.request.cipher_suite":"DHE-RSA-AES256-SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper
> is null"}
>
> 4. Use your imagination :)
>
> -----Original Message-----
> From: Jacques Le Roux
> Date: 04 април 2012 г. 20:43 ч.
> To: user@ofbiz.apache.org
> Subject: Re: Dangerous security hole?
>
> From trunk demo, I get only
> {"targetRequestUri":"/getConfigDetailsEvent","_CONTEXT_ROOT_":"/home/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/","_FORWARDED_FROM_SERVLET_":true,"_SERVER_ROOT_URL_":"http://demo-trunk.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","thisRequestUri":"json","_ERROR_MESSAGE_":"configWrapper
> is null"}
>
> Could you reproduce there?
>
> Jacques
>
> From: "Boris Hamanov" <bs...@gmail.com>
> This one is in ecommerce controller.xml
>
> <request-map uri="getConfigDetailsEvent">
> <security https="false" auth="false"/>
> <event type="jsonjava" path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="getConfigDetailsEvent"/>
> <response name="success" type="none"/>
> <response name="error" type="none"/>
> </request-map>
>
> I believe it is very severe security thread as it does not require authentication and returns the session amongst many other
> things:
>
> {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper
> is null"}
Re: Dangerous security hole?
Posted by Boris Hamanov <bs...@gmail.com>.
Just do
1. https://demo-old.ofbiz.apache.org/ecommerce/control/viewSimpleContent
2. https://demo-old.ofbiz.apache.org/ecommerce/control/getConfigDetailsEvent
3. You get:
{"targetRequestUri":"/getConfigDetailsEvent","javax.servlet.request.key_size":256,"_CONTEXT_ROOT_":"/home/ofbiz/branch9/specialpurpose/ecommerce/webapp/ecommerce/","javax.servlet.request.ssl_session":"E3193F0DADE7779A321E3339D8BC0D7420B9DB29283CCFFDC3C8782C0B4E12B9","_SERVER_ROOT_URL_":"https://demo-old.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","javax.servlet.request.cipher_suite":"DHE-RSA-AES256-SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper
is null"}
4. Use your imagination :)
-----Original Message-----
From: Jacques Le Roux
Date: 04 април 2012 г. 20:43 ч.
To: user@ofbiz.apache.org
Subject: Re: Dangerous security hole?
>From trunk demo, I get only
{"targetRequestUri":"/getConfigDetailsEvent","_CONTEXT_ROOT_":"/home/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/","_FORWARDED_FROM_SERVLET_":true,"_SERVER_ROOT_URL_":"http://demo-trunk.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","thisRequestUri":"json","_ERROR_MESSAGE_":"configWrapper
is null"}
Could you reproduce there?
Jacques
From: "Boris Hamanov" <bs...@gmail.com>
This one is in ecommerce controller.xml
<request-map uri="getConfigDetailsEvent">
<security https="false" auth="false"/>
<event type="jsonjava"
path="org.ofbiz.order.shoppingcart.ShoppingCartEvents"
invoke="getConfigDetailsEvent"/>
<response name="success" type="none"/>
<response name="error" type="none"/>
</request-map>
I believe it is very severe security thread as it does not require
authentication and returns the session amongst many other things:
{"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper
is null"}
Re: Dangerous security hole?
Posted by Jacques Le Roux <ja...@les7arts.com>.
>From trunk demo, I get only
{"targetRequestUri":"/getConfigDetailsEvent","_CONTEXT_ROOT_":"/home/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/","_FORWARDED_FROM_SERVLET_":true,"_SERVER_ROOT_URL_":"http://demo-trunk.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","thisRequestUri":"json","_ERROR_MESSAGE_":"configWrapper
is null"}
Could you reproduce there?
Jacques
From: "Boris Hamanov" <bs...@gmail.com>
This one is in ecommerce controller.xml
<request-map uri="getConfigDetailsEvent">
<security https="false" auth="false"/>
<event type="jsonjava" path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="getConfigDetailsEvent"/>
<response name="success" type="none"/>
<response name="error" type="none"/>
</request-map>
I believe it is very severe security thread as it does not require authentication and returns the session amongst many other things:
{"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper
is null"}
Re: Dangerous security hole?
Posted by Carsten Schinzer <c....@googlemail.com>.
hmmm. no result on my public shop setups (but I tend to clean up
control.xml for unused stuff).
Can you reproduce on the demo sites ? Your tests seems to be on localhost.
Regards
Carsten
2012/4/4 Mike <mz...@gmail.com>:
> Wouldn't you need to know the session id? If you call it, it would only
> return the data of your own session. Maybe someone else with more
> experience can comment.
>
> On Tue, Apr 3, 2012 at 12:44 PM, Boris Hamanov <bs...@gmail.com> wrote:
>
>> This one is in ecommerce controller.xml
>>
>> <request-map uri="getConfigDetailsEvent">
>> <security https="false" auth="false"/>
>> <event type="jsonjava"
>> path="org.ofbiz.order.shoppingcart.ShoppingCartEvents"
>> invoke="getConfigDetailsEvent"/>
>> <response name="success" type="none"/>
>> <response name="error" type="none"/>
>> </request-map>
>>
>> I believe it is very severe security thread as it does not require
>> authentication and returns the session amongst many other things:
>>
>>
>> {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"
>> https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper
>> is null"}
--
Best
Carsten Schinzer
Plankstettenstr. 7
80638 München
Germany
Re: Dangerous security hole?
Posted by Mike <mz...@gmail.com>.
Wouldn't you need to know the session id? If you call it, it would only
return the data of your own session. Maybe someone else with more
experience can comment.
On Tue, Apr 3, 2012 at 12:44 PM, Boris Hamanov <bs...@gmail.com> wrote:
> This one is in ecommerce controller.xml
>
> <request-map uri="getConfigDetailsEvent">
> <security https="false" auth="false"/>
> <event type="jsonjava"
> path="org.ofbiz.order.shoppingcart.ShoppingCartEvents"
> invoke="getConfigDetailsEvent"/>
> <response name="success" type="none"/>
> <response name="error" type="none"/>
> </request-map>
>
> I believe it is very severe security thread as it does not require
> authentication and returns the session amongst many other things:
>
>
> {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"
> https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper
> is null"}