[CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments
Hi everyone, I was recently made aware of an attack on an OFBiz deployment using the vulnerability described below. The attackers were able to exploit the xmlrpc endpoint to initiate a full export of the database. Fortunately this deployment had an extremely large database and the attempt set off a number of alerts which enabled the attack to be halted before any harm was done. A smaller (or lightly monitored) OFBiz installation would probably not have been so fortunate. Just sharing this to let everyone know that this vulnerability is being exploited in the wild and if you haven't taken steps to lock down this endpoint then you should do so ASAP. Please also share this warning with anyone you know who might be affected but perhaps don't keep an eye on this list. https://issues.apache.org/jira/browse/OFBIZ-11716 Regards Scott
Re: ecommerce - custom categories menu item in header
Hi Mike,
Take a look at ecommerce/template/catalog/SideDeepCategory.ftl there's a
macro there that has everything you need.
We adapted that to build our menus for us, the wrappers are attached to
the context in the related groovy files.
Hope that helps.
Jason
On 16/11/2020 11:34, mike Butler wrote:
I am customising the main decorator for ecommerce and have a Header.ftl which
includes dropdown menus and I am working on a dropdown menu for categories.
What I have tried so far:
For the categories menu I have included ProductCategories.groovy as an action
in the main-decorator (as used in the categories in the left panel of the main
div) which I believe should provide a hash: “productCategoryID” which I can use
in the Header.ftl.
Can you please confirm that is correct.
From reading the ftl documentation I think I have to use an ftl
object-wrapper but without an example I do not understand how to code that.
I have used <#list productCategoryId?keys as root> which is just a guess but it
does produce a very nice menu with dropdown containing fifteen “productCategory”
entries that’s “productCategory” 15 times so at least I know something is happening.
I would also like to understand what and how I can display from the hash.
Current test coding is below:
Any pointers/help with this menu would be a very much appreciated learning
experience for me.
Regards
Mike Butler
Freelance Consultant
<#--Some sort of object wrapping please help -->
<#if (productCategoryId?has_content)>
<#list productCategoryId?keys as root> --- What would be the correct
syntax?
$
{uiLabelMap.productCategory}
<#else>
${uiLabelMap.Category}
${uiLabelMap.Product}
ecommerce - custom categories menu item in header
I am customising the main decorator for ecommerce and have a Header.ftl which
includes dropdown menus and I am working on a dropdown menu for categories.
What I have tried so far:
For the categories menu I have included ProductCategories.groovy as an action
in the main-decorator (as used in the categories in the left panel of the main
div) which I believe should provide a hash: “productCategoryID” which I can use
in the Header.ftl.
Can you please confirm that is correct.
>From reading the ftl documentation I think I have to use an ftl
>object-wrapper but without an example I do not understand how to code that.
I have used <#list productCategoryId?keys as root> which is just a guess but it
does produce a very nice menu with dropdown containing fifteen
“productCategory” entries that’s “productCategory” 15 times so at least I
know something is happening.
I would also like to understand what and how I can display from the hash.
Current test coding is below:
Any pointers/help with this menu would be a very much appreciated learning
experience for me.
Regards
Mike Butler
Freelance Consultant
<#--Some sort of object wrapping please help -->
<#if (productCategoryId?has_content)>
<#list productCategoryId?keys as root> --- What would be the correct
syntax?
$
{uiLabelMap.productCategory}
<#else>
${uiLabelMap.Category}
${uiLabelMap.Product}
Re: Shorten the order fulfillment processs
Hi Georg, You can get the same locally by using gradlew loadAll ofbiz then getting to https://localhost:8443/ordermgr/control/orderentry and following the order entry wizard (tunnel of screens) HTH Jacques Le 16/11/2020 à 08:03, Georg Potthast a écrit : Hi Jacques, I wanted to look again at the link you provided, but it is no longer available. Is the code available somewhere? [1] https://demo-trunk.ofbiz.apache.org/ordermgr/control/orderentry Georg -Ursprüngliche Nachricht- From: Jacques Le Roux Sent: Monday, August 10, 2020 4:10 PM To: user@ofbiz.apache.org Subject: Re: Shorten the order fulfillment processs Hi Georg, I did something like that in 2007 for an ecommerce GB company (not with the signed delivery note part). I had to add some custom code to the order entry wizard/tunnel[1] and it's still the same today. As the needs are most of the time specific there is no way to have that OOTB. But it's easy to add because all the bricks are present. HTH Jacques [1] https://demo-trunk.ofbiz.apache.org/ordermgr/control/orderentry Le 07/08/2020 à 10:04, Georg Potthast 2 a écrit : I hope this question will open in a new thread. We are planning to replace our old ERP system with an OFBiz based system. However, we currently have a different process than the one described in the wiki page OFBIZ/Order+Fulfillment+Process+Overview We take the orders by phone and generate a delivery note from that. Our driver picks the goods from our storage and delivers them to the customer. When he returns with a signed delivery note from the customer, we enter the delivery note into the ERP system. The ERP system takes a look at the agreement details for the customer including his price and generates an invoice which is sent in the mail. This does not seem to fit the process described in the wiki page. How can we use OFBiz to fit our existing process?
