Re: How to resolve CSRF attack

2018-04-17 Thread Chris Clark
Ahh ok makes sense, you know to first sign up for the list serv before you hit it up xD... On Tue, Apr 17, 2018, 4:27 AM Jacques Le Roux, wrote: > It means that the person sends a message to the ML w/o being subscribed to > it. So we (moderators) have to allow this

Re: How to resolve CSRF attack

2018-04-17 Thread Jacques Le Roux
Hi Paul, I tried hard to use it 9 months ago but did not succeed. I even then inadvertently committed my then WIP work and then removed it at http://svn.apache.org/viewvc?view=revision=1799243 I also tried the Tomcat RestCsrfPreventionFilter see my comment in OFBIZ-6766 at

Re: How to resolve CSRF attack

2018-04-17 Thread Jacques Le Roux
It means that the person sends a message to the ML w/o being subscribed to it. So we (moderators) have to allow this message to pass. Jacques Le 17/04/2018 à 04:49, Chris Clark a écrit : What does yoyr message has been moderated mean? On Mon, Apr 16, 2018, 3:00 AM Sonali Agrahari,

Re: How to resolve CSRF attack

2018-04-16 Thread Chris Clark
What does yoyr message has been moderated mean? On Mon, Apr 16, 2018, 3:00 AM Sonali Agrahari, wrote: > Hello all, > > I am using OFBiz 12.04 version in my application. > When logged in to the application as admin user and open web mail in > another browser ,

Re: How to resolve CSRF attack

2018-04-16 Thread Paul Foxworthy
Hi Michael, I would say it is a vulnerability. OFBiz could make this distinction if we add a hidden field to each form with a unique hash, and verify the hash is correct when processing a POST. A spoofed form wouldn't have the right hash. We are already using some of the OWASP (Open Web

Re: How to resolve CSRF attack

2018-04-16 Thread Michael Brohl
Hi Sonali, this is not a vulnerability. You are logged in and posting a request from the same browser with the same session. There is no chance for OFBiz to make a distiction between a request initiated from an OFBiz generated page or any other page (like your webmail) from the same

Re: How to resolve CSRF attack

2018-04-16 Thread Jacques Le Roux
Hi Sonali, Your last email has been moderated again http://ofbiz.135035.n4.nabble.com/MODERATE-EMAIL-How-to-resolve-CSRF-attack-td4721783.html The 1st one being https://markmail.org/message/jmkabexchsb7cvl2 4 months ago. Please, as Nabble also suggests you, consider to subscribe to the user ML

How to resolve CSRF attack

2018-04-16 Thread Sonali Agrahari
Hello all, I am using OFBiz 12.04 version in my application. When logged in to the application as admin user and open web mail in another browser , suppose we received a mail which have link http://xyz.com/activate.html . The links points to html file as :

[MODERATE EMAIL] How to resolve CSRF attack

2018-04-15 Thread Deepak Dixit
Bcc: Date: Sun, 15 Apr 2018 21:08:07 -0700 (MST) Subject: How to resolve CSRF attack Hello all, I am using OFBiz 12.04 version in my application. When logged in to the application as admin user and open web mail in another browser , suppose we received a mail which have link http://xyz.com/act