Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0045365
TypeCategorySeverityReproducibilityDate SubmittedLast Update
feature request[Retail Modules] Web POS Hardware Managermajoralways2020-11-03 10:512020-11-16 07:40
ReporterjcbourgeoisView Statuspublic 
Assigned TojavierRodriguez 
PriorityhighResolutionfixedFixed in VersionRR21Q1
StatusclosedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned Tomarvintm
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0045365: Hardware Manager - HWM accepts incoming requests on interface 0.0.0.0

DescriptionA security issue in Hardware Manager has been raised by Decathlon : it currently accepts requests from all the machines present in the network.
It doesn't make sense for many customers because HWM is installed on each till (devices are not shared between the tills).
Steps To Reproduce1) Start HWM
2) Launch the following command : sudo netstat -anp | grep -i listen | grep tcp
3) Results :

tcp 0 0 0.0.0.0:8090 0.0.0.0:* LISTEN 1189/java
tcp 0 0 0.0.0.0:8190 0.0.0.0:* LISTEN 1189/java

=> It means ports 8090 & 8190 are listening requests from everywhere = potential security breach
Proposed SolutionJetty can be started to allow access form localhost only : https://stackoverflow.com/questions/1955455/how-to-secure-jetty-to-only-allow-access-from-loopbacklocalhost [^]

The solution could be adding the following line in our source code : connector.setHost("localhost");

And maybe add a new parameter in openbravohw.properties to limit or not the access from all the machines in the network.
Tagssecurity
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to defect 0047198 closedranjith_qualiantech_com Hardware manager parameter server.allowedhost doesn't appears to have any effect 

-  Notes
(0124364)
hgbot (developer)
2020-11-13 13:37

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager.sources [^]
Changeset: 977df98cee071748211660b9692c71c3b544f568
Author: Javier Rodriguez Regueiro <javier.rodriguez@openbravo.com>
Date: 2020-11-12T18:16:28+01:00
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager.sources/-/commit/977df98cee071748211660b9692c71c3b544f568 [^]

Fixed ISSUE 45365: Refactor Server Manager Jetty to include configurable attribute to set the allowed host

This configurable attribute can be set in openbravo.properties as server.allowedhost. If it is not set, HWM allows
to every machines connected to the network to request actions. In case that it is set as localhost, only the localhost can do actions with the HWM

---
M project/openbravohw.properties
M project/src/com/openbravo/poshw/server/ServerManagerJetty.java
---
(0124365)
hgbot (developer)
2020-11-13 13:37

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager.sources [^]
Changeset: a6dc137d6389b0cc1ac68228f20066695ddba61c
Author: Javier Rodriguez Regueiro <javier.rodriguez@openbravo.com>
Date: 2020-11-12T18:30:20+01:00
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager.sources/-/commit/a6dc137d6389b0cc1ac68228f20066695ddba61c [^]

Related to ISSUE 45365: Rename setConnectorAttributes method

---
M project/src/com/openbravo/poshw/server/ServerManagerJetty.java
---
(0124366)
hgbot (developer)
2020-11-13 13:37

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager.sources [^]
Changeset: 1656f5ae76db12aed7c7d912282d63d6c9a0a969
Author: Javier Rodriguez Regueiro <javier.rodriguez@openbravo.com>
Date: 2020-11-13T12:38:32+01:00
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager.sources/-/commit/1656f5ae76db12aed7c7d912282d63d6c9a0a969 [^]

Related to ISSUE 45365: Fix null point Exception

---
M project/src/com/openbravo/poshw/server/ServerManagerJetty.java
---
(0124368)
hgbot (developer)
2020-11-13 13:43

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager [^]
Changeset: 7e8e06523faaaa94855857ddb87feb502d54e380
Author: Javier Rodriguez Regueiro <javier.rodriguez@openbravo.com>
Date: 2020-11-13T13:42:53+01:00
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.poshwmanager/-/commit/7e8e06523faaaa94855857ddb87feb502d54e380 [^]

Fixed ISSUE 45365: Refactor Server Manager Jetty to include configurable attribute to set the allowed host

This configurable attribute can be set in openbravo.properties as server.allowedhost. If it is not set, HWM allows
to every machines connected to the network to request actions. In case that it is set as localhost, only the localhost can do actions with the HWM

---
M bin/openbravohw.properties
M bin/poshw.jar
M bin/rev.id
---

- Issue History
Date Modified Username Field Change
2020-11-03 10:51 jcbourgeois New Issue
2020-11-03 10:51 jcbourgeois Assigned To => Retail
2020-11-03 10:51 jcbourgeois Triggers an Emergency Pack => No
2020-11-03 10:55 guillermogil Resolution time => 1606172400
2020-11-03 10:55 guillermogil Tag Attached: security
2020-11-03 11:01 adrianromero Type defect => feature request
2020-11-13 13:37 hgbot Resolution open => fixed
2020-11-13 13:37 hgbot Status new => resolved
2020-11-13 13:37 hgbot Fixed in Version => RR21Q1
2020-11-13 13:37 hgbot Note Added: 0124364
2020-11-13 13:37 hgbot Note Added: 0124365
2020-11-13 13:37 hgbot Note Added: 0124366
2020-11-13 13:43 hgbot Note Added: 0124368
2020-11-16 07:39 marvintm Assigned To Retail => javierRodriguez
2020-11-16 07:40 marvintm Review Assigned To => marvintm
2020-11-16 07:40 marvintm Status resolved => closed
2021-07-07 07:50 ranjith_qualiantech_com Relationship added related to 0047198


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker