Openbravo Issue Tracking System - Retail Modules |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0045365 | Retail Modules | Web POS Hardware Manager | public | 2020-11-03 10:51 | 2020-11-16 07:40 |
|
| Reporter | jcbourgeois | |
| Assigned To | javierRodriguez | |
| Priority | high | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | | |
| Target Version | | Fixed in Version | RR21Q1 | |
| Merge Request Status | |
| Review Assigned To | marvintm |
| OBNetwork customer | Gold |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0045365: Hardware Manager - HWM accepts incoming requests on interface 0.0.0.0 |
| Description | A security issue in Hardware Manager has been raised by Decathlon : it currently accepts requests from all the machines present in the network.
It doesn't make sense for many customers because HWM is installed on each till (devices are not shared between the tills). |
| Steps To Reproduce | 1) Start HWM
2) Launch the following command : sudo netstat -anp | grep -i listen | grep tcp
3) Results :
tcp 0 0 0.0.0.0:8090 0.0.0.0:* LISTEN 1189/java
tcp 0 0 0.0.0.0:8190 0.0.0.0:* LISTEN 1189/java
=> It means ports 8090 & 8190 are listening requests from everywhere = potential security breach |
| Proposed Solution | Jetty can be started to allow access form localhost only : https://stackoverflow.com/questions/1955455/how-to-secure-jetty-to-only-allow-access-from-loopbacklocalhost [^]
The solution could be adding the following line in our source code : connector.setHost("localhost");
And maybe add a new parameter in openbravohw.properties to limit or not the access from all the machines in the network. |
| Additional Information | |
| Tags | security |
| Relationships | | related to | defect | 0047198 | | closed | ranjith_qualiantech_com | Hardware manager parameter server.allowedhost doesn't appears to have any effect |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2020-11-03 10:51 | jcbourgeois | New Issue | |
| 2020-11-03 10:51 | jcbourgeois | Assigned To | => Retail |
| 2020-11-03 10:51 | jcbourgeois | Triggers an Emergency Pack | => No |
| 2020-11-03 10:55 | guillermogil | OBNetwork customer | => Gold |
| 2020-11-03 10:55 | guillermogil | Resolution time | => 1606172400 |
| 2020-11-03 10:55 | guillermogil | Tag Attached: security | |
| 2020-11-03 11:01 | adrianromero | Type | defect => feature request |
| 2020-11-13 13:37 | hgbot | Resolution | open => fixed |
| 2020-11-13 13:37 | hgbot | Status | new => resolved |
| 2020-11-13 13:37 | hgbot | Fixed in Version | => RR21Q1 |
| 2020-11-13 13:37 | hgbot | Note Added: 0124364 | |
| 2020-11-13 13:37 | hgbot | Note Added: 0124365 | |
| 2020-11-13 13:37 | hgbot | Note Added: 0124366 | |
| 2020-11-13 13:43 | hgbot | Note Added: 0124368 | |
| 2020-11-16 07:39 | marvintm | Assigned To | Retail => javierRodriguez |
| 2020-11-16 07:40 | marvintm | Review Assigned To | => marvintm |
| 2020-11-16 07:40 | marvintm | Status | resolved => closed |
| 2021-07-07 07:50 | ranjith_qualiantech_com | Relationship added | related to 0047198 |
|
Notes |
|
|
(0124364)
|
|
hgbot
|
|
2020-11-13 13:37
|
|
|
|
|
(0124365)
|
|
hgbot
|
|
2020-11-13 13:37
|
|
|
|
|
(0124366)
|
|
hgbot
|
|
2020-11-13 13:37
|
|
|
|
|
(0124368)
|
|
hgbot
|
|
2020-11-13 13:43
|
|
|