[prev in list] [next in list] [prev in thread] [next in thread]
List: mifos-developer
Subject: Re: [Mifos-developer] Community-app scripts codes are visible through a browser developer editors
From: Nayan Ambali <nayan.ambali () gmail ! com>
Date: 2016-07-09 16:31:54
Message-ID: CAF0gLvwjy=hcf4KNuJeuq5_f3vfYWtiQqg08fq4QDtkfZm2uEA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Lppez, I trust what Markus has said in the previous email,
Below explanation tells you how any web application works,
The front end is rendered/generated by the browser, and browsers usually
understands HTML, JS and CSS code, so it is very obvious that all the HTML,
CSS and JS files need be available to browser to render the web page.
There are some ways to unglify the JS code so it is difficult to read and
so, it is not much of useful.
tenantIdentifier is part of URL, some one know the URL does not mean he/she
can access the resource that are beyond the authenticattion, that means
without valid user name and password is required to access any resources.
So, in my understanding this is not security threat.
Note: I did not mean Mifos X platform does not have any security loopholes,
I just mean the issue you pointed out is not security loophole.
Thanks and Regards,
Nayan Ambali
+91 9591996042
skype: nayangambali
On Sat, Jul 9, 2016 at 11:51 AM, Markus Gei=C3=9F <mgeiss@mifos.org> wrote:
> Hey Robert,
>
> what is your concern with this? You can even open your regular online
> banking web site and do the same.
>
> It is 'just' the structure of the website incl. scripts and images. This
> is not blockable as far a I know.
>
> Best wishes,
>
>
> *Markus Geiss*
> Chief Architect
> R=C9=85=C4=90=C9=85=D0=AF, The Mifos Initiative
> mgeiss@mifos.org | Skype: mgeiss.mifos.org | Mobil: +49.152.295.05306 |
> http://mifos.org <http://facebook.com/mifos>
> <http://www.twitter.com/mifos>
>
>
>
> On Sat, Jul 9, 2016 at 8:12 AM, Ippez Robert <ippezrobert@gmail.com>
> wrote:
>
>> Hi Devs, i have just realized one thing with the community-app, when you
>> Inspect Element (after loading the community-app, right click, on the
>> pop-up menu click on Inspect Element and click the Debugger tab, You are
>> able to view the list of all the .js scripts of the community-app. worse
>> still in Google Chrome, it shows the complete directory with folder name=
s
>> (Right-click, select Inspect and click on the Source tab.
>>
>> Is there a way to disable this both in Ubuntu and windows environment?
>>
>> This is a security there to me as some one can build something to get to
>> the main Fineract platform.
>>
>> Thanks
>> Regards
>> Ippez Robert
>>
>>
>> ------------------------------------------------------------------------=
------
>> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
>> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
>> present their vision of the future. This family event has something for
>> everyone, including kids. Get more information and register today.
>> http://sdm.link/attshape
>> Mifos-developer mailing list
>> mifos-developer@lists.sourceforge.net
>> Unsubscribe or change settings at:
>> https://lists.sourceforge.net/lists/listinfo/mifos-developer
>>
>
>
>
> -------------------------------------------------------------------------=
-----
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> Mifos-developer mailing list
> mifos-developer@lists.sourceforge.net
> Unsubscribe or change settings at:
> https://lists.sourceforge.net/lists/listinfo/mifos-developer
>
[Attachment #5 (text/html)]
<div dir="ltr"><span><font color="#888888">Lppez, I trust what Markus has said in the \
previous email, <br><br>Below explanation tells you how any web application \
works,<br>The front end is rendered/generated by the browser</font>, and browsers \
usually understands HTML, JS and CSS code, so it is very obvious that all the HTML, \
CSS and JS files need be available to browser to render the web \
page.<br></span></div><div dir="ltr"><span><br></span></div><div \
dir="ltr"><span>There are some ways to unglify the JS code so it is difficult to read \
and so, it is not much of useful.</span></div><div \
dir="ltr"><span><br></span></div><div dir="ltr">tenantIdentifier is part of URL, some \
one know the URL does not mean he/she can access the resource that are beyond the \
authenticattion, that means without valid user name and password is required to \
access any resources.</div><div dir="ltr"><br></div><div dir="ltr">So, in my \
understanding this is not security threat.</div><div dir="ltr"><br></div><div \
dir="ltr"><br></div><div dir="ltr">Note: I did not mean Mifos X platform does not \
have any security loopholes, I just mean the issue you pointed out is not security \
loophole.</div><div class="gmail_extra"><br clear="all"><div><div \
data-smartmail="gmail_signature"><div dir="ltr"><div><font size="2"><span \
style="font-family:verdana,sans-serif"><span style="color:rgb(51,51,51)"><br>Thanks \
and Regards,</span><br style="color:rgb(51,51,51)">Nayan \
Ambali<br></span></font></div><div><font size="2"><span \
style="font-family:verdana,sans-serif">+91 9591996042<br></span></font></div><font \
size="2"><span style="font-family:verdana,sans-serif">skype: \
nayangambali</span></font></div></div></div></div><div class="gmail_extra"> <br><div \
class="gmail_quote">On Sat, Jul 9, 2016 at 11:51 AM, Markus Geiß <span \
dir="ltr"><<a href="mailto:mgeiss@mifos.org" \
target="_blank">mgeiss@mifos.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" \
style="font-family:tahoma,sans-serif">Hey Robert,</div><div class="gmail_default" \
style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" \
style="font-family:tahoma,sans-serif">what is your concern with this? You can even \
open your regular online banking web site and do the same.</div><div \
class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div \
class="gmail_default" style="font-family:tahoma,sans-serif">It is 'just' the \
structure of the website incl. scripts and images. This is not blockable as far a I \
know. </div></div><div class="gmail_extra"><br clear="all"><div><div \
data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><font \
face="tahoma, sans-serif"><div dir="ltr">Best wishes,</div></font></div><div \
dir="ltr"><b><font face="tahoma, sans-serif"><br></font></b></div><div \
dir="ltr"><b><font face="tahoma, sans-serif">Markus Geiss<br></font></b><div><font \
face="tahoma, sans-serif" size="1">Chief Architect</font></div><div><font \
face="tahoma, sans-serif" size="1">RɅĐɅЯ</font><span \
style="font-family:tahoma,sans-serif;font-size:x-small">, The Mifos \
Initiative</span><br></div><div><font face="tahoma, sans-serif" size="1"><a \
href="mailto:mgeiss@mifos.org" style="color:rgb(17,85,204)" \
target="_blank">mgeiss@mifos.org</a> | Skype: <a href="http://mgeiss.mifos.org" \
target="_blank">mgeiss.mifos.org</a> | Mobil: <a href="tel:%2B49.152.295.05306" \
value="+4915229505306" target="_blank">+49.152.295.05306</a> | </font><font \
style="font-family:tahoma,sans-serif;font-size:x-small" color="#339999"><a \
href="http://mifos.org/" style="color:rgb(17,85,204)" \
target="_blank">http://mifos.org</a></font><span \
style="font-family:tahoma,sans-serif;font-size:x-small"> </span><a \
href="http://facebook.com/mifos" \
style="font-family:tahoma,sans-serif;font-size:x-small;color:rgb(17,85,204);font-style:italic" \
target="_blank"><img \
src="https://secure.plimus.com/developers/817570/Template/icon-tiny-facebook.png" \
alt=""></a><i style="font-family:tahoma,sans-serif;font-size:x-small"> </i><a \
href="http://www.twitter.com/mifos" \
style="font-family:tahoma,sans-serif;font-size:x-small;color:rgb(17,85,204);font-style:italic" \
target="_blank"><img \
src="http://organizationsandmarkets.files.wordpress.com/2010/04/icon-tiny-twitter.png"></a><font \
face="tahoma, sans-serif" size="1"><br></font><div><font face="tahoma, sans-serif" \
size="1"><br></font></div><div><img \
src="https://docs.google.com/uc?export=download&id=0B0i8mB7CBe52ZnJjQ3dCUUExRVU&am \
p;revid=0B0i8mB7CBe52dW0rTGJJOWxpSC9TMlJYeWZ1Qm9hOFVETUt3PQ"><br></div></div></div></d \
iv></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote"><div><div>On Sat, Jul 9, 2016 at 8:12 AM, Ippez Robert \
<span dir="ltr"><<a href="mailto:ippezrobert@gmail.com" \
target="_blank">ippezrobert@gmail.com</a>></span> \
wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div \
dir="ltr"><div><div><div><div><div>Hi Devs, i have just realized one thing with the \
community-app, when you Inspect Element (after loading the community-app, right \
click, on the pop-up menu click on Inspect Element and click the Debugger tab, You \
are able to view the list of all the .js scripts of the community-app. worse still in \
Google Chrome, it shows the complete directory with folder names (Right-click, select \
Inspect and click on the Source tab. <br><br></div>Is there a way to disable this \
both in Ubuntu and windows environment?<br><br></div>This is a security there to me \
as some one can build something to get to the main Fineract \
platform.<br><br></div>Thanks<br></div>Regards<span><font \
color="#888888"><br></font></span></div><span><font color="#888888">Ippez \
Robert<br></font></span></div> \
<br></div></div>------------------------------------------------------------------------------<br>
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San<br>
Francisco, CA to explore cutting-edge tech and listen to tech luminaries<br>
present their vision of the future. This family event has something for<br>
everyone, including kids. Get more information and register today.<br>
<a href="http://sdm.link/attshape" rel="noreferrer" \
target="_blank">http://sdm.link/attshape</a><br>Mifos-developer mailing list<br> <a \
href="mailto:mifos-developer@lists.sourceforge.net" \
target="_blank">mifos-developer@lists.sourceforge.net</a><br> Unsubscribe or change \
settings at:<br> <a href="https://lists.sourceforge.net/lists/listinfo/mifos-developer" \
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/mifos-developer</a><br></blockquote></div><br></div>
<br>------------------------------------------------------------------------------<br>
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San<br>
Francisco, CA to explore cutting-edge tech and listen to tech luminaries<br>
present their vision of the future. This family event has something for<br>
everyone, including kids. Get more information and register today.<br>
<a href="http://sdm.link/attshape" rel="noreferrer" \
target="_blank">http://sdm.link/attshape</a><br>Mifos-developer mailing list<br> <a \
href="mailto:mifos-developer@lists.sourceforge.net" \
target="_blank">mifos-developer@lists.sourceforge.net</a><br> Unsubscribe or change \
settings at:<br> <a href="https://lists.sourceforge.net/lists/listinfo/mifos-developer" \
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/mifos-developer</a><br></blockquote></div><br></div>
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
Mifos-developer mailing list
mifos-developer@lists.sourceforge.net
Unsubscribe or change settings at:
https://lists.sourceforge.net/lists/listinfo/mifos-developer
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic