You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ofbiz.apache.org by Deepak Dixit <de...@hotwaxsystems.com> on 2018/04/16 04:13:35 UTC

[MODERATE EMAIL] How to resolve CSRF attack

Hi Sonali,

Your email has been moderated, Please subscribe mailing list
http://ofbiz.apache.org/mailing-lists.html


Thanks & Regards
--
Deepak Dixit
www.hotwax.co


---------- Forwarded message ----------
From: Sonali Agrahari <so...@gmail.com>
To: user@ofbiz.apache.org
Cc:
Bcc:
Date: Sun, 15 Apr 2018 21:08:07 -0700 (MST)
Subject: How to resolve CSRF attack
Hello all,

  I am using OFBiz 12.04 version in my application.
  When logged in to the application as admin user and open web mail in
another browser , suppose we received a mail  which have link
http://xyz.com/activate.html .
The links points to html file as :

<html>
 <head>

</head>
<body>
  <form action =
"https://localhost:8443/catalog/control/CreateProductCategory" name = "f1"
id = "f1" method = "post">
     <input type = "hidden" name = "sectorName" id = "sectorName" value =
"SECTOR" >
      <input type = "hidden" name = "productName" id = "productName" value =
"PRODUCT" >
  </form>

</body>
</html>

The user clicks on this link while he has logged on to the application. As
the crafted form is doing a post request in a valid session, the requested
post gets executed and result will be displayed i.e. all values will be
inserted in database properly.
And the link gets opened in other tab of same browser.

How can resolve this type of vulnerability.
Kindly help.


Thanks & regards
Sonali









--
Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html