This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git
The following commit(s) were added to refs/heads/master by this push:
new ab97e37 Improved: major changes, so far it should be enough
ab97e37 is described below
commit ab97e37ed90f6094728d670abfd8e39879ad1df6
Author: Jacques Le Roux <[email protected]>
AuthorDate: Fri Sep 5 15:04:19 2025 +0200
Improved: major changes, so far it should be enough
---
security.html | 12 +++++-------
template/page/security.tpl.php | 7 +++++--
2 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/security.html b/security.html
index 96f3609..4bf76e4 100644
--- a/security.html
+++ b/security.html
@@ -122,6 +122,11 @@
<li><i class="icon-pin"></i> <a
href="//cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure"
target="external">Keeping OFBiz secure.</a> To keep your OFBiz instance secure
from exploits.</li>
</ul>
+ <p><strong>All system privileges, including access to potentially
vulnerable operations, are granted to administrators</strong>. Even if we
assume that administrators don't attack their own websites, it's essential to
exercise extra care when granting administrator privileges.
+ Therefore, if a security breach occurs on the
administration page, it's generally not perceived as a problem. The
administrator holds the power. Unless an ordinary user manages to overstep
their bounds and act beyond their authority.
+ So in the webtools page we only accept vulnerabilities
when using a not administrator credential.
+ </p>
+
<h2><a id="security"></a>Security Vulnerabilities</h2>
<div class="divider"><span></span></div>
@@ -131,13 +136,6 @@
<p>Please see the <a href="//www.apache.org/security"
target="external">ASF Security Team webpage</a> for further information about
reporting a security vulnerability as well as their contact information.</p>
- <h3>OFBiz Security</h3>
- <ul class="iconsList">
- <li><i class="icon-pin"></i> <a
href="//cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Security+Permissions"
target="external">OFBiz Security Model : Permissions and related.</a> Be sure
to read the children pages in the left part of screen</li>
- <li><i class="icon-pin"></i> <a
href="//cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure"
target="external">Keeping OFBiz secure.</a> To keep your OFBiz instance secure
from exploits.</li>
- </ul>
- <p><strong>All system privileges, including access to potentially
vulnerable operations, are granted to administrators</strong>. Even if we
assume that administrators don't attack their own websites, it's essential to
exercise extra care when granting administrator privileges.
- Therefore, if a security breach occurs on the administration
page, it's generally not perceived as a problem. The administrator holds the
power. Unless an ordinary user manages to overstep their bounds and act beyond
their authority.</p>
diff --git a/template/page/security.tpl.php b/template/page/security.tpl.php
index 33011fb..58989f9 100644
--- a/template/page/security.tpl.php
+++ b/template/page/security.tpl.php
@@ -23,6 +23,11 @@
<li><i class="icon-pin"></i> <a
href="//cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure"
target="external">Keeping OFBiz secure.</a> To keep your OFBiz instance secure
from exploits.</li>
</ul>
+ <p><strong>All system privileges, including access to potentially
vulnerable operations, are granted to administrators</strong>. Even if we
assume that administrators don't attack their own websites, it's essential to
exercise extra care when granting administrator privileges.
+ Therefore, if a security breach occurs on the
administration page, it's generally not perceived as a problem. The
administrator holds the power. Unless an ordinary user manages to overstep
their bounds and act beyond their authority.
+ So in the webtools page we only accept vulnerabilities
when using a not administrator credential.
+ </p>
+
<h2><a id="security"></a>Security Vulnerabilities</h2>
<div class="divider"><span></span></div>
@@ -32,8 +37,6 @@
<p>Please see the <a href="//www.apache.org/security"
target="external">ASF Security Team webpage</a> for further information about
reporting a security vulnerability as well as their contact information.</p>
- <p><strong>All system privileges, including access to potentially
vulnerable operations, are granted to administrators</strong>. Even if we
assume that administrators don't attack their own websites, it's essential to
exercise extra care when granting administrator privileges.
- Therefore, if a security breach occurs on the administration
page, it's generally not perceived as a problem. The administrator holds the
power. Unless an ordinary user manages to overstep their bounds and act beyond
their authority.</p>
