Le 18/07/2020 à 11:34, Jacques Le Roux a écrit :
Le 13/07/2020 à 14:50, Jacques Le Roux a écrit :
Something related I already shared in the security ML:
I guess we don't want to change (I don't mean the NOTE but the feature).
// NOTE: must check permission first so that admin users can set
Le 13/07/2020 à 14:50, Jacques Le Roux a écrit :
Something related I already shared in the security ML:
I guess we don't want to change (I don't mean the NOTE but the feature).
// NOTE: must check permission first so that admin users can set own
password without specifying old password
I
Hi James,
Inline...
Le 13/07/2020 à 08:36, James Yong a écrit :
Hi Jacques,
There is a number of reports relating to CSRF.
To reduce the number of false positive security alerts, I think the CSRF
defense should be turned on in the demo.
The OFBiz specific CSRF defense exists only in trunk b
Le 12/07/2020 à 13:07, Jacques Le Roux a écrit :
Hi team,
We recently got a security report about checkNewPassword where it was claimed a
CSRF vulnerability because of ignoreCurrentPassword but I rejected it.
I have though added a comment in trunk to allow users to adds OFBiz specific
CSRF de
Hi Girish,
Le 13/07/2020 à 05:48, Girish Vasmatkar a écrit :
Hi Jacques
I think the vulnerability does not exist if the CSRF defence is in place.
Yes I already answered the same to the reporter and he agreed.
If there is no defence in place, there is a possibility of using system
account se
Hi Jacques,
There is a number of reports relating to CSRF.
To reduce the number of false positive security alerts, I think the CSRF
defense should be turned on in the demo.
I feel there should be additional verification like checking current password
when the user is doing password change.
Ple
Hi Jacques
I think the vulnerability does not exist if the CSRF defence is in place.
If there is no defence in place, there is a possibility of using system
account session to change the admin password.
As for bypassing current password check if the user is admin, it won't hurt
if the check was i
Hi team,
We recently got a security report about checkNewPassword where it was claimed a
CSRF vulnerability because of ignoreCurrentPassword but I rejected it.
I have though added a comment in trunk to allow users to adds OFBiz specific
CSRF defense in case it would be needed (peculiar browser
