You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Pierre Smits <pi...@gmail.com> on 2012/04/16 11:43:33 UTC
Vulnerability in OFBiz?
I saw this tweeted:
*Michele Orru'* @antisnatchor <https://twitter.com/#!/antisnatchor>
- Reply Retweet Favorite ·
Open<https://twitter.com/#!/antisnatchor/status/191823272214659072>
New XSSs on Apache OFBiz
http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html<http://t.co/8OV2iHcr>=>
after my recommendations years ago
https://issues.apache.org/jira/browse/OFBIZ-1959
<https://t.co/RHyVfSy6>they are still vulnerable :D LOL
How do we address this?
Regards,
Pierre
Re: Vulnerability in OFBiz?
Posted by Jacques Le Roux <ja...@les7arts.com>.
Mmm... re-reading OFBIZ-1959, I need to be more precises on that...
Actually Michelle helped us much. But he did not answer to our last questions (David's and I).
Nobody ever reported XRSS issues but it's quite possible there are still...
Jacques
Jacques Le Roux wrote:
> It's not quite clear if it's only a joke or not.
>
> Because actually http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html were new vulnerabilites discovered by
> Matias Madou (mmadouhp.com) of Fortify/HP Security Research Group.
> Matias helped us to track them by giving precise URLs and ways of reproducing when Michele Orru' never answered precisely to our
> questions in this issue.
>
> The only way to be sure would be to reproduce what described Michelle in this issue...
>
> Jacques
>
> Pierre Smits wrote:
>> I saw this tweeted:
>>
>> *Michele Orru'* @antisnatchor <https://twitter.com/#!/antisnatchor>
>>
>> - Reply Retweet Favorite ·
>> Open<https://twitter.com/#!/antisnatchor/status/191823272214659072>
>>
>> New XSSs on Apache OFBiz
>> http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html<http://t.co/8OV2iHcr>=>
>> after my recommendations years ago
>> https://issues.apache.org/jira/browse/OFBIZ-1959
>> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL
>>
>>
>> How do we address this?
>>
>> Regards,
>>
>> Pierre
Re: Vulnerability in OFBiz?
Posted by Adrian Crum <ad...@sandglass-software.com>.
Correct. In addition, users of the release branches and trunk should
update their local copies to the latest revisions.
-Adrian
On 4/16/2012 11:47 AM, Pierre Smits wrote:
> So if I understand it correctly the vulnerability issue is regarding
> 10.04.01 and has been fixed with 10.04.02. That's why we urge end users to
> upgrade.
>
>
> Op 16 april 2012 12:31 schreef Adrian Crum<
> adrian.crum@sandglass-software.com> het volgende:
>
>> Michele likes to claim credit for reporting all current and future OFBiz
>> vulnerabilities based on a very old Jira issue that was fixed long ago.
>> He/she can be ignored.
>>
>> -Adrian
>>
>>
>> On 4/16/2012 11:16 AM, Jacques Le Roux wrote:
>>
>>> It's not quite clear if it's only a joke or not.
>>>
>>> Because actually http://archives.neohapsis.com/**
>>> archives/fulldisclosure/2012-**04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html>were new vulnerabilites discovered by Matias Madou (
>>> mmadouhp.com) of Fortify/HP Security Research Group.
>>> Matias helped us to track them by giving precise URLs and ways of
>>> reproducing when Michele Orru' never answered precisely to our questions
>>> in this issue.
>>>
>>> The only way to be sure would be to reproduce what described Michelle in
>>> this issue...
>>>
>>> Jacques
>>>
>>> Pierre Smits wrote:
>>>
>>>> I saw this tweeted:
>>>>
>>>> *Michele Orru'* @antisnatchor<https://twitter.com/#!/**antisnatchor<https://twitter.com/#!/antisnatchor>
>>>> - Reply Retweet Favorite ·
>>>> Open<https://twitter.com/#!/**antisnatchor/status/**191823272214659072<https://twitter.com/#!/antisnatchor/status/191823272214659072>
>>>> New XSSs on Apache OFBiz
>>>> http://archives.neohapsis.com/**archives/fulldisclosure/2012-**
>>>> 04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html>
>>>> <http://t.co/**8OV2iHcr<http://t.co/8OV2iHcr>>=>
>>>> after my recommendations years ago
>>>> https://issues.apache.org/**jira/browse/OFBIZ-1959<https://issues.apache.org/jira/browse/OFBIZ-1959>
>>>> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL
>>>>
>>>>
>>>> How do we address this?
>>>>
>>>> Regards,
>>>>
>>>> Pierre
>>>>
>>>
Re: Vulnerability in OFBiz?
Posted by Pierre Smits <pi...@gmail.com>.
So if I understand it correctly the vulnerability issue is regarding
10.04.01 and has been fixed with 10.04.02. That's why we urge end users to
upgrade.
Op 16 april 2012 12:31 schreef Adrian Crum <
adrian.crum@sandglass-software.com> het volgende:
> Michele likes to claim credit for reporting all current and future OFBiz
> vulnerabilities based on a very old Jira issue that was fixed long ago.
> He/she can be ignored.
>
> -Adrian
>
>
> On 4/16/2012 11:16 AM, Jacques Le Roux wrote:
>
>> It's not quite clear if it's only a joke or not.
>>
>> Because actually http://archives.neohapsis.com/**
>> archives/fulldisclosure/2012-**04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html>were new vulnerabilites discovered by Matias Madou (
>> mmadouhp.com) of Fortify/HP Security Research Group.
>> Matias helped us to track them by giving precise URLs and ways of
>> reproducing when Michele Orru' never answered precisely to our questions
>> in this issue.
>>
>> The only way to be sure would be to reproduce what described Michelle in
>> this issue...
>>
>> Jacques
>>
>> Pierre Smits wrote:
>>
>>> I saw this tweeted:
>>>
>>> *Michele Orru'* @antisnatchor <https://twitter.com/#!/**antisnatchor<https://twitter.com/#!/antisnatchor>
>>> >
>>>
>>> - Reply Retweet Favorite ·
>>> Open<https://twitter.com/#!/**antisnatchor/status/**191823272214659072<https://twitter.com/#!/antisnatchor/status/191823272214659072>
>>> >
>>>
>>> New XSSs on Apache OFBiz
>>> http://archives.neohapsis.com/**archives/fulldisclosure/2012-**
>>> 04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html>
>>> <http://t.co/**8OV2iHcr <http://t.co/8OV2iHcr>>=>
>>> after my recommendations years ago
>>> https://issues.apache.org/**jira/browse/OFBIZ-1959<https://issues.apache.org/jira/browse/OFBIZ-1959>
>>> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL
>>>
>>>
>>> How do we address this?
>>>
>>> Regards,
>>>
>>> Pierre
>>>
>>
>>
Re: Vulnerability in OFBiz?
Posted by Jacques Le Roux <ja...@les7arts.com>.
He: https://twitter.com/#!/antisnatchor
Jacques
Adrian Crum wrote:
> Michele likes to claim credit for reporting all current and future OFBiz
> vulnerabilities based on a very old Jira issue that was fixed long ago.
> He/she can be ignored.
>
> -Adrian
>
> On 4/16/2012 11:16 AM, Jacques Le Roux wrote:
>> It's not quite clear if it's only a joke or not.
>>
>> Because actually
>> http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html were
>> new vulnerabilites discovered by Matias Madou (mmadouhp.com) of
>> Fortify/HP Security Research Group.
>> Matias helped us to track them by giving precise URLs and ways of
>> reproducing when Michele Orru' never answered precisely to our
>> questions in this issue.
>>
>> The only way to be sure would be to reproduce what described Michelle
>> in this issue...
>>
>> Jacques
>>
>> Pierre Smits wrote:
>>> I saw this tweeted:
>>>
>>> *Michele Orru'* @antisnatchor <https://twitter.com/#!/antisnatchor>
>>>
>>> - Reply Retweet Favorite ·
>>> Open<https://twitter.com/#!/antisnatchor/status/191823272214659072>
>>>
>>> New XSSs on Apache OFBiz
>>> http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html<http://t.co/8OV2iHcr>=>
>>>
>>> after my recommendations years ago
>>> https://issues.apache.org/jira/browse/OFBIZ-1959
>>> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL
>>>
>>>
>>> How do we address this?
>>>
>>> Regards,
>>>
>>> Pierre
Re: Vulnerability in OFBiz?
Posted by Pierre Smits <pi...@gmail.com>.
So if I understand it correctly the vulnerability issue is regarding
10.04.01 and has been fixed with 10.04.02. That's why we urge end users to
upgrade.
Op 16 april 2012 12:31 schreef Adrian Crum <
adrian.crum@sandglass-software.com> het volgende:
> Michele likes to claim credit for reporting all current and future OFBiz
> vulnerabilities based on a very old Jira issue that was fixed long ago.
> He/she can be ignored.
>
> -Adrian
>
>
> On 4/16/2012 11:16 AM, Jacques Le Roux wrote:
>
>> It's not quite clear if it's only a joke or not.
>>
>> Because actually http://archives.neohapsis.com/**
>> archives/fulldisclosure/2012-**04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html>were new vulnerabilites discovered by Matias Madou (
>> mmadouhp.com) of Fortify/HP Security Research Group.
>> Matias helped us to track them by giving precise URLs and ways of
>> reproducing when Michele Orru' never answered precisely to our questions
>> in this issue.
>>
>> The only way to be sure would be to reproduce what described Michelle in
>> this issue...
>>
>> Jacques
>>
>> Pierre Smits wrote:
>>
>>> I saw this tweeted:
>>>
>>> *Michele Orru'* @antisnatchor <https://twitter.com/#!/**antisnatchor<https://twitter.com/#!/antisnatchor>
>>> >
>>>
>>> - Reply Retweet Favorite ·
>>> Open<https://twitter.com/#!/**antisnatchor/status/**191823272214659072<https://twitter.com/#!/antisnatchor/status/191823272214659072>
>>> >
>>>
>>> New XSSs on Apache OFBiz
>>> http://archives.neohapsis.com/**archives/fulldisclosure/2012-**
>>> 04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html>
>>> <http://t.co/**8OV2iHcr <http://t.co/8OV2iHcr>>=>
>>> after my recommendations years ago
>>> https://issues.apache.org/**jira/browse/OFBIZ-1959<https://issues.apache.org/jira/browse/OFBIZ-1959>
>>> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL
>>>
>>>
>>> How do we address this?
>>>
>>> Regards,
>>>
>>> Pierre
>>>
>>
>>
Re: Vulnerability in OFBiz?
Posted by Adrian Crum <ad...@sandglass-software.com>.
Michele likes to claim credit for reporting all current and future OFBiz
vulnerabilities based on a very old Jira issue that was fixed long ago.
He/she can be ignored.
-Adrian
On 4/16/2012 11:16 AM, Jacques Le Roux wrote:
> It's not quite clear if it's only a joke or not.
>
> Because actually
> http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html were
> new vulnerabilites discovered by Matias Madou (mmadouhp.com) of
> Fortify/HP Security Research Group.
> Matias helped us to track them by giving precise URLs and ways of
> reproducing when Michele Orru' never answered precisely to our
> questions in this issue.
>
> The only way to be sure would be to reproduce what described Michelle
> in this issue...
>
> Jacques
>
> Pierre Smits wrote:
>> I saw this tweeted:
>>
>> *Michele Orru'* @antisnatchor <https://twitter.com/#!/antisnatchor>
>>
>> - Reply Retweet Favorite ·
>> Open<https://twitter.com/#!/antisnatchor/status/191823272214659072>
>>
>> New XSSs on Apache OFBiz
>> http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html<http://t.co/8OV2iHcr>=>
>>
>> after my recommendations years ago
>> https://issues.apache.org/jira/browse/OFBIZ-1959
>> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL
>>
>>
>> How do we address this?
>>
>> Regards,
>>
>> Pierre
>
Re: Vulnerability in OFBiz?
Posted by Jacques Le Roux <ja...@les7arts.com>.
It's not quite clear if it's only a joke or not.
Because actually http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html were new vulnerabilites discovered by
Matias Madou (mmadouhp.com) of Fortify/HP Security Research Group.
Matias helped us to track them by giving precise URLs and ways of reproducing when Michele Orru' never answered precisely to our
questions in this issue.
The only way to be sure would be to reproduce what described Michelle in this issue...
Jacques
Pierre Smits wrote:
> I saw this tweeted:
>
> *Michele Orru'* @antisnatchor <https://twitter.com/#!/antisnatchor>
>
> - Reply Retweet Favorite ·
> Open<https://twitter.com/#!/antisnatchor/status/191823272214659072>
>
> New XSSs on Apache OFBiz
> http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html<http://t.co/8OV2iHcr>=>
> after my recommendations years ago
> https://issues.apache.org/jira/browse/OFBIZ-1959
> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL
>
>
> How do we address this?
>
> Regards,
>
> Pierre
Re: Vulnerability in OFBiz?
Posted by Jacopo Cappellato <ja...@hotwaxmedia.com>.
He is tweeting about the vulnerability announcement we did yesterday, that was fix with the release 10.04.02 of yesterday... I don't think there is anything new to comment about
Jacopo
On Apr 16, 2012, at 11:43 AM, Pierre Smits wrote:
> I saw this tweeted:
>
> *Michele Orru'* @antisnatchor <https://twitter.com/#!/antisnatchor>
>
> - Reply Retweet Favorite ·
> Open<https://twitter.com/#!/antisnatchor/status/191823272214659072>
>
> New XSSs on Apache OFBiz
> http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html<http://t.co/8OV2iHcr>=>
> after my recommendations years ago
> https://issues.apache.org/jira/browse/OFBIZ-1959
> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL
>
>
> How do we address this?
>
> Regards,
>
> Pierre