ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Created] (OFBIZ-10420) session fixation issue
Date Fri, 01 Jun 2018 07:47:00 GMT
Jacques Le Roux created OFBIZ-10420:
---------------------------------------

             Summary: session fixation issue
                 Key: OFBIZ-10420
                 URL: https://issues.apache.org/jira/browse/OFBIZ-10420
             Project: OFBiz
          Issue Type: Sub-task
          Components: framework
    Affects Versions: 16.11.04, Trunk, 17.12.01
            Reporter: Jacques Le Roux
            Assignee: Jacques Le Roux
             Fix For: 17.12.01, 16.11.05


With the security audit tool "IBM Security AppScan Enterprise , Version : 9.0.3.7" A client
discovered a [session fixation security issue|https://www.owasp.org/index.php/Session_fixation]

[OWASP describes here how to fix this kind of issue|https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change]

I decided to prevents the session fixation by making Tomcat generate a new jsessionId, ultimately
put in cookie.

OWASP also recommends
<<Other common scenarios must also be considered, such as password changes, permission
changes or switching from a regular user role to an administrator role within the web application.
For all these web application critical pages, previous session IDs have to be ignored, a new
session ID must be assigned to every new request received for the critical resource, and the
old or previous session ID must be destroyed. >>

Password changes go through a new authentication so not a problem, it's a new login, so a
new jsessionId.

I don't think it is necessary to create a new authentication in OFBiz  during "permission
changes". In my opinion as it requires data loads, it's up to the admin to handle it, if it
ever happens. You rarely (actually never) change permission during a session, do you? Otherwise
the admin has to manage it with the user...



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message