The main issue regardless of the URL being hit is that JSON responses return the entire request attribute map. It is IMO a problem that we've always used the request attributes directly to pass data from events to views.
Regards Scott On 6/04/2012, at 10:09 AM, Jacques Le Roux wrote: > OK, you provided links to demo-old.ofbiz which is actually R09.04 (exactly > release09.04-1303717) > But the same is still true in trunk, I checked. > > Now, I may be missing something, but I don't see how the > javax.servlet.request.ssl_session would exposes any security holes. > It's not related to the session (jsessionId). Just an Id part of SSL and > OFBiz don't use it at all. Hence it's not used in any session related > mechanism. > > So my answer would be: there is no security hole regarding > javax.servlet.request.ssl_session (id) exposed in a json result (the request > being protected or not) > > Did you have something in mind? > > Jacques > > > From: "Boris Hamanov" <bsh...@gmail.com> >> Just do >> >> 1. https://demo-old.ofbiz.apache.org/ecommerce/control/viewSimpleContent >> 2. https://demo-old.ofbiz.apache.org/ecommerce/control/getConfigDetailsEvent >> >> 3. You get: >> {"targetRequestUri":"/getConfigDetailsEvent","javax.servlet.request.key_size":256,"_CONTEXT_ROOT_":"/home/ofbiz/branch9/specialpurpose/ecommerce/webapp/ecommerce/","javax.servlet.request.ssl_session":"E3193F0DADE7779A321E3339D8BC0D7420B9DB29283CCFFDC3C8782C0B4E12B9","_SERVER_ROOT_URL_":"https://demo-old.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","javax.servlet.request.cipher_suite":"DHE-RSA-AES256-SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper >> is null"} >> >> 4. Use your imagination :) >> >> -----Original Message----- From: Jacques Le Roux >> Date: 04 април 2012 г. 20:43 ч. >> To: user@ofbiz.apache.org >> Subject: Re: Dangerous security hole? >> >> From trunk demo, I get only >> {"targetRequestUri":"/getConfigDetailsEvent","_CONTEXT_ROOT_":"/home/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/","_FORWARDED_FROM_SERVLET_":true,"_SERVER_ROOT_URL_":"http://demo-trunk.ofbiz.apache.org","_CONTROL_PATH_":"/ecommerce/control","thisRequestUri":"json","_ERROR_MESSAGE_":"configWrapper >> is null"} >> >> Could you reproduce there? >> >> Jacques >> >> From: "Boris Hamanov" <bsh...@gmail.com> >> This one is in ecommerce controller.xml >> >> <request-map uri="getConfigDetailsEvent"> >> <security https="false" auth="false"/> >> <event type="jsonjava" >> path="org.ofbiz.order.shoppingcart.ShoppingCartEvents" >> invoke="getConfigDetailsEvent"/> >> <response name="success" type="none"/> >> <response name="error" type="none"/> >> </request-map> >> >> I believe it is very severe security thread as it does not require >> authentication and returns the session amongst many other >> things: >> >> {"targetRequestUri":"/ViewSimpleContent","javax.servlet.request.key_size":128,"_CONTEXT_ROOT_":"C:\\apache-ofbiz-09.04.01\\hot-deploy\\ofbec\\webapp\\husastore\\","javax.servlet.request.ssl_session":"4f7b4cdfbe32ebf5a5017336a8cab96cdd23161038c8b0c132fab3cb67d01d92","_SERVER_ROOT_URL_":"https://localhost:8443","_CONTROL_PATH_":"/husastore/control","javax.servlet.request.cipher_suite":"TLS_DHE_RSA_WITH_AES_128_CBC_SHA","thisRequestUri":"getConfigDetailsEvent","_ERROR_MESSAGE_":"configWrapper >> is null"}