[jira] Updated: (OFBIZ-2449) Secure targets in widget forms

Sat, 09 May 2009 08:39:09 -0700 

     [ 
https://issues.apache.org/jira/browse/OFBIZ-2449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-2449:
-----------------------------------

    Description: 
We have also  targets with params in URL in forms, despite it's already using 
POST action

In *form*.xml look for 
{code}
<<form(.*)target=(.*)\?(.*)=(.*)>> (24 instances)
<<form(.*)\R(.*)target=(.*)\?(.*)=(.*)>> ( 23 instances)
{code}

An easy example to use is ListPhysicalInventory.

So we should extend the param-name scheme to forms widget also.
Maybe some targets are not calling services and so are not real threats (no 
changes possible in DB). But we have already chosen to change all hyperlinks in 
the same case and not to try to filter them.



  was:
We have also  targets with params in URL in forms, despite it's already using 
POST action
Look for <<form(.*)target=(.*)\?(.*)=(.*)>> (24 instances) and 
<<form(.*)\R(.*)target=(.*)\?(.*)=(.*)>> ( 23 instances) in *form*.xml.

An easy example to use is ListPhysicalInventory.

So we should extend the param-name scheme to forms widget also.
Maybe some targets are not calling services and so are not real threats (no 
changes possible in DB). But we have already chosen to change all hyperlinks in 
the same case and not to try to filter them.




> Secure targets in widget forms
> ------------------------------
>
>                 Key: OFBIZ-2449
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2449
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Release Branch 9.04, SVN trunk
>            Reporter: Jacques Le Roux
>             Fix For: Release Branch 9.04, SVN trunk
>
>
> We have also  targets with params in URL in forms, despite it's already using 
> POST action
> In *form*.xml look for 
> {code}
> <<form(.*)target=(.*)\?(.*)=(.*)>> (24 instances)
> <<form(.*)\R(.*)target=(.*)\?(.*)=(.*)>> ( 23 instances)
> {code}
> An easy example to use is ListPhysicalInventory.
> So we should extend the param-name scheme to forms widget also.
> Maybe some targets are not calling services and so are not real threats (no 
> changes possible in DB). But we have already chosen to change all hyperlinks 
> in the same case and not to try to filter them.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to