Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Won't Do
-
Release Branch 11.04, Release Branch 12.04, Release Branch 13.07, Trunk
-
None
-
None
-
Bug Crush Event - 21/2/2015
Description
Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization.
For Example - https://demo-trunk.ofbiz.apache.org/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components.