Hi Sonali, this is not a vulnerability.
You are logged in and posting a request from the same browser with the same session. There is no chance for OFBiz to make a distiction between a request initiated from an OFBiz generated page or any other page (like your webmail) from the same browser/session.
Regards, Michael Am 16.04.18 um 06:08 schrieb Sonali Agrahari:
Hello all, I am using OFBiz 12.04 version in my application. When logged in to the application as admin user and open web mail in another browser , suppose we received a mail which have link http://xyz.com/activate.html . The links points to html file as : <html> <head></head><body> <form action = "https://localhost:8443/catalog/control/CreateProductCategory"; name = "f1" id = "f1" method = "post"> <input type = "hidden" name = "sectorName" id = "sectorName" value = "SECTOR" > <input type = "hidden" name = "productName" id = "productName" value = "PRODUCT" > </form> </body> </html> The user clicks on this link while he has logged on to the application. As the crafted form is doing a post request in a valid session, the requested post gets executed and result will be displayed i.e. all values will be inserted in database properly. And the link gets opened in other tab of same browser. How can resolve this type of vulnerability. Kindly help. Thanks & regards Sonali -- Sent from: http://ofbiz.135035.n4.nabble.com/OFBiz-User-f135036.html
smime.p7s
Description: S/MIME Cryptographic Signature
