Re: Unable to change VisualTheme (security)

Tue, 10 Mar 2009 22:30:40 -0700
You could try looking at the Visit and ServerHit records for the user to get an idea of what may have done this. 


What caused this is a good question... the database is supposed to be  
cleaned out every day, and if it isn't working then something's up.  
One possibility is that the theme was changed through an insecure URL  
if there is one somewhere in some application, and that would work.


-David


On Mar 10, 2009, at 4:44 PM, Bruno Busco wrote:


Yes, I need to better dig into it but I supposed to be related to the
recent OFBiz strongest security constraint.
The strange thing (not strictly related to the security but to how
VisualThemes are set) is that even id this security issue is already
deployed to the demo server, there should be some way to change the
Visual Theme.
Until few minutes ago the backoffice was not working with admin/ofbiz
because the multiflex theme was selected (that is not supposed to be
used in the backoffice).
I logged in as demoadmin/ofbiz and found the bluelight theme in place
for this login.
Finally I logged in as flexadmin/ofbiz and manually deleted the
UserPreferences record that had admin stuck on multiflex.
Doing this now the demo is working again but...how people was able to
change the theme?

I tried to use party/visits and webtools/logs in order to discover the
"hack" but no way.
I would be interesting to know how to track the user activity that
took to this. How to?

-Bruno

2009/3/10 David E Jones <david.jo...@hotwaxmedia.com>:



I did write some message and sent them to this list, one to propose  
these

changes and another to communicate that they were in place... :)

Of course, now that people are seeing the downside to security, maybe
opinions won't be so in favor of it? ;)

-David


On Mar 10, 2009, at 4:28 PM, Adrian Crum wrote:


I encountered that error too.

-Adrian

Bruno Busco wrote:


Hi,

in the latest trunk (rev. 752277) I got this error whenever I try  
to

change the VisualTheme in the backoffice:
The Following Errors Occurred:
Error calling event: org.ofbiz.webapp.event.EventHandlerException:
Found URL parameter [userPrefTypeId] passed to secure (https)
request-map with uri [setUserPreference] with an event that calls

service [setUserPreference]; this is not allowed for security  
reasons!

-Bruno



























					Reply via email to