*creating a new thread to leave the vote thread untouched*


In my understanding from the previous threads about the impersonation features, it is disabled by default and must be enabled explicitly.

Using this feature and dealing with the consequences is up to the user then. So I see no valid concern to have this feature in the codebase.

Am I missing something?

Michael Brohl

ecomify GmbH - www.ecomify.de

Am 28.02.20 um 08:49 schrieb Gil Portenseigne:
Hello Pierre,

If you are talking about impersonation feature, that is not in the 17.12
branch.

In either way, administrative tools, if we got access to it, allow what
your are saying. But there is no security issue that grant these
privilege we are aware of. If you do, please share to the security list.

I'm open to discuss about the "criminal" aspect of the impersonation
feature, but not on this thread.

Gil

On Fri, Feb 28, 2020 at 02:54:01AM +0100, Pierre Smits wrote:
-1

As this release contains software elements that will enable criminal
parties to gain access to the implemented OFBiz system of a user (a
business organisation) and impersonate valid users with the intent to bring
harm to the aforementioned business organisation through transactions
registered by the impersonated valid user..

Met vriendelijke groet,

Pierre Smits

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to