This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git
The following commit(s) were added to refs/heads/master by this push:
new 44bb687 Improved: about themes/common-theme/webapp/images/products
subdirectories
44bb687 is described below
commit 44bb687c926a52e0f2ffa26a5af8531284cdb0ab
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sun Sep 28 18:08:43 2025 +0200
Improved: about themes/common-theme/webapp/images/products subdirectories
Separates "OFBiz Security" from "Security Vulnerabilities" chapters
---
security.html | 4 ++--
template/page/security.tpl.php | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/security.html b/security.html
index 46eff2c..d3f49d2 100644
--- a/security.html
+++ b/security.html
@@ -135,11 +135,11 @@
<p><strong>At the UI level the OFBiz logs are protected and should
not be vulnerable to exploits</strong>.
We though warn OFBiz users it's important that out of OFBiz
UI level logs files remain restricted to their trusted users.
- Also we recommend to use the <strong>verbose level on
production</strong> only when it's absolutely necessary.</p>
+ Also we recommend to use the <strong>verbose level on
production</strong> only when it's absolutely necessary.
Another case where access needs to be restricted to trusted
users is inside subdirectories of themes/common-theme/webapp/images/products.
Specifically because images upload for products is possible
in those places. Hence possible embedded webshells, even if OFBiz has a robust
protection.
As recommended by OWASP, a solid solution is to move the
products images upload to another domain.
- You may also simply prevent security issues by making these
subdirectories non-executable.
+ You may also simply prevent security issues by making these
subdirectories non-executable.</p>
<h2><a id="security"></a>Security Vulnerabilities</h2>
diff --git a/template/page/security.tpl.php b/template/page/security.tpl.php
index 104ab0b..1339286 100644
--- a/template/page/security.tpl.php
+++ b/template/page/security.tpl.php
@@ -36,11 +36,11 @@
<p><strong>At the UI level the OFBiz logs are protected and should
not be vulnerable to exploits</strong>.
We though warn OFBiz users it's important that out of OFBiz
UI level logs files remain restricted to their trusted users.
- Also we recommend to use the <strong>verbose level on
production</strong> only when it's absolutely necessary.</p>
+ Also we recommend to use the <strong>verbose level on
production</strong> only when it's absolutely necessary.
Another case where access needs to be restricted to trusted
users is inside subdirectories of themes/common-theme/webapp/images/products.
Specifically because images upload for products is possible
in those places. Hence possible embedded webshells, even if OFBiz has a robust
protection.
As recommended by OWASP, a solid solution is to move the
products images upload to another domain.
- You may also simply prevent security issues by making these
subdirectories non-executable.
+ You may also simply prevent security issues by making these
subdirectories non-executable.</p>
<h2><a id="security"></a>Security Vulnerabilities</h2>
