Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0045365 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| feature request | [Retail Modules] Web POS Hardware Manager | major | always | 2020-11-03 10:51 | 2020-11-16 07:40 | |||
| Reporter | jcbourgeois | View Status | public | |||||
| Assigned To | javierRodriguez | |||||||
| Priority | high | Resolution | fixed | Fixed in Version | RR21Q1 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | |||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Merge Request Status | ||||||||
| Review Assigned To | marvintm | |||||||
| OBNetwork customer | Gold | |||||||
| Support ticket | ||||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0045365: Hardware Manager - HWM accepts incoming requests on interface 0.0.0.0 | |||||||
| Description | A security issue in Hardware Manager has been raised by Decathlon : it currently accepts requests from all the machines present in the network. It doesn't make sense for many customers because HWM is installed on each till (devices are not shared between the tills). | |||||||
| Steps To Reproduce | 1) Start HWM 2) Launch the following command : sudo netstat -anp | grep -i listen | grep tcp 3) Results : tcp 0 0 0.0.0.0:8090 0.0.0.0:* LISTEN 1189/java tcp 0 0 0.0.0.0:8190 0.0.0.0:* LISTEN 1189/java => It means ports 8090 & 8190 are listening requests from everywhere = potential security breach | |||||||
| Proposed Solution | Jetty can be started to allow access form localhost only : https://stackoverflow.com/questions/1955455/how-to-secure-jetty-to-only-allow-access-from-loopbacklocalhost [^] The solution could be adding the following line in our source code : connector.setHost("localhost"); And maybe add a new parameter in openbravohw.properties to limit or not the access from all the machines in the network. | |||||||
| Tags | security | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
||||||||
|
||||||||
 Relationships |
|
Notes |
|
|
(0124364) hgbot (developer) 2020-11-13 13:37 |
Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager.sources [^] Changeset: 977df98cee071748211660b9692c71c3b544f568 Author: Javier Rodriguez Regueiro <javier.rodriguez@openbravo.com> Date: 2020-11-12T18:16:28+01:00 URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager.sources/-/commit/977df98cee071748211660b9692c71c3b544f568 [^] Fixed ISSUE 45365: Refactor Server Manager Jetty to include configurable attribute to set the allowed host This configurable attribute can be set in openbravo.properties as server.allowedhost. If it is not set, HWM allows to every machines connected to the network to request actions. In case that it is set as localhost, only the localhost can do actions with the HWM --- M project/openbravohw.properties M project/src/com/openbravo/poshw/server/ServerManagerJetty.java --- |
|
(0124365) hgbot (developer) 2020-11-13 13:37 |
Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager.sources [^] Changeset: a6dc137d6389b0cc1ac68228f20066695ddba61c Author: Javier Rodriguez Regueiro <javier.rodriguez@openbravo.com> Date: 2020-11-12T18:30:20+01:00 URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager.sources/-/commit/a6dc137d6389b0cc1ac68228f20066695ddba61c [^] Related to ISSUE 45365: Rename setConnectorAttributes method --- M project/src/com/openbravo/poshw/server/ServerManagerJetty.java --- |
|
(0124366) hgbot (developer) 2020-11-13 13:37 |
Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager.sources [^] Changeset: 1656f5ae76db12aed7c7d912282d63d6c9a0a969 Author: Javier Rodriguez Regueiro <javier.rodriguez@openbravo.com> Date: 2020-11-13T12:38:32+01:00 URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager.sources/-/commit/1656f5ae76db12aed7c7d912282d63d6c9a0a969 [^] Related to ISSUE 45365: Fix null point Exception --- M project/src/com/openbravo/poshw/server/ServerManagerJetty.java --- |
|
(0124368) hgbot (developer) 2020-11-13 13:43 |
Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager [^] Changeset: 7e8e06523faaaa94855857ddb87feb502d54e380 Author: Javier Rodriguez Regueiro <javier.rodriguez@openbravo.com> Date: 2020-11-13T13:42:53+01:00 URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager/-/commit/7e8e06523faaaa94855857ddb87feb502d54e380 [^] Fixed ISSUE 45365: Refactor Server Manager Jetty to include configurable attribute to set the allowed host This configurable attribute can be set in openbravo.properties as server.allowedhost. If it is not set, HWM allows to every machines connected to the network to request actions. In case that it is set as localhost, only the localhost can do actions with the HWM --- M bin/openbravohw.properties M bin/poshw.jar M bin/rev.id --- |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2020-11-03 10:51 | jcbourgeois | New Issue | |
| 2020-11-03 10:51 | jcbourgeois | Assigned To | => Retail |
| 2020-11-03 10:51 | jcbourgeois | Triggers an Emergency Pack | => No |
| 2020-11-03 10:55 | guillermogil | OBNetwork customer | => Gold |
| 2020-11-03 10:55 | guillermogil | Resolution time | => 1606172400 |
| 2020-11-03 10:55 | guillermogil | Tag Attached: security | |
| 2020-11-03 11:01 | adrianromero | Type | defect => feature request |
| 2020-11-13 13:37 | hgbot | Resolution | open => fixed |
| 2020-11-13 13:37 | hgbot | Status | new => resolved |
| 2020-11-13 13:37 | hgbot | Fixed in Version | => RR21Q1 |
| 2020-11-13 13:37 | hgbot | Note Added: 0124364 | |
| 2020-11-13 13:37 | hgbot | Note Added: 0124365 | |
| 2020-11-13 13:37 | hgbot | Note Added: 0124366 | |
| 2020-11-13 13:43 | hgbot | Note Added: 0124368 | |
| 2020-11-16 07:39 | marvintm | Assigned To | Retail => javierRodriguez |
| 2020-11-16 07:40 | marvintm | Review Assigned To | => marvintm |
| 2020-11-16 07:40 | marvintm | Status | resolved => closed |
| 2021-07-07 07:50 | ranjith_qualiantech_com | Relationship added | related to 0047198 |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |