Hello, One medium level alert, which I got from the ZAP tool is coming from jsessionid parameter:
<server>/openmeetings/swf;jsessionid=64A4ABD7831031264DB769CA1CC828D6?0&invitationHash=dffbc5225fdc148a5a658a30d55cd559 Medium (Warning) Session ID in URL rewrite Description URL rewrite is used to track user session ID. The session ID may be disclosed in referer header. Besides, the session ID can be stored in browser history or server logs. This is maybe not easy to handle with the configuration of the Tomcat: http://stackoverflow.com/questions/2276920/how-to-configure-tomcat-to-not-encode-the-session-id-into-the-url-when-httpservl Do you have any comment on this? BR, Kalevi 2014-08-19 9:39 GMT+03:00 Maxim Solodovnik <solomax...@gmail.com>: > Thanks a lot, will try this tool (as soon as I'll have some time) > > > On 19 August 2014 13:31, kalevi tappinen <kalevi.tappi...@gmail.com> > wrote: > >> Hello, >> >> I have tested the OpenMeetings with the OWASP ZAP tool and it is >> generating quite much warnings, but not the critical ones. >> >> I have to analyze the results and if I find something, which should be >> fixed, I will inform you. >> >> I recommend the OWASP ZAP tool. It is really easy to use. Just download >> the product and then set proxy. Then browse the OpenMeetings and same time >> the OWASP ZAP tool checks the communication. >> >> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project >> >> >> BR, >> >> Kalevi >> >> >> >> 2014-08-19 9:09 GMT+03:00 Maxim Solodovnik <solomax...@gmail.com>: >> >>> Unfortunately no, we are trying to use all latest libraries (with all >>> issues fixed), but have no resources to perform "heavy" security testing. >>> We will be happy to get any help on this >>> >>> >>> On 19 August 2014 12:58, kalevi tappinen <kalevi.tappi...@gmail.com> >>> wrote: >>> >>>> Hello, >>>> >>>> Is it possible that someone can use some security hole in the >>>> OpenMeetings and then have access to our server? >>>> >>>> Have you tested the security with the penetration tools etc? >>>> >>>> BR, >>>> >>>> Mika >>>> >>>> 2014-08-19 8:43 GMT+03:00 Maxim Solodovnik <solomax...@gmail.com>: >>>> >>>>> Hello, >>>>> >>>>> you can set up OM (starting with 3.0.3) to use both HTTPS and RTMPS >>>>> which are secure, all communications will be made via secured channels >>>>> >>>>> >>>>> On 19 August 2014 12:36, kalevi tappinen <kalevi.tappi...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> I send again my previous question. What you think about the >>>>>> OpenMeetings security? >>>>>> >>>>>> BR, >>>>>> >>>>>> Kalevi >>>>>> >>>>>> 2014-08-13 8:54 GMT+03:00 kalevi tappinen <kalevi.tappi...@gmail.com> >>>>>> : >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I'm interested in the OpenMeetings, but my client is not sure if the >>>>>>> OpenMeetings is enough secure. >>>>>>> >>>>>>> How can I prove to client that OpenMeetings is enough secure? >>>>>>> >>>>>>> Is the flash secure? How you have tested the security? >>>>>>> >>>>>>> I have read the security section in the OpenMeetings site, but I >>>>>>> need more information to be sure. >>>>>>> >>>>>>> BR, >>>>>>> >>>>>>> Kalevi >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>> >>>> >>> >>> >>> -- >>> WBR >>> Maxim aka solomax >>> >> >> > > > -- > WBR > Maxim aka solomax >
