This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push: new afd3c36 Improved: Create a deny list to reject webshell tokens (OFBIZ-12324) afd3c36 is described below commit afd3c36b5fb17a12684ffc30cfde5c5abda996b0 Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Tue Feb 15 07:54:17 2022 +0100 Improved: Create a deny list to reject webshell tokens (OFBIZ-12324) After reviewing https://github.com/nsacyber/Mitigating-Web-Shells this mostly adds as tokens the "Linux applications commonly used by attackers and rarely launched by benign Apache applications" --- framework/security/config/security.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index 0b88e95..36a2a99 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -219,8 +219,8 @@ allowAllUploads= deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,\ %eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\ chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,\ - python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream -#-- IMPORTANT: when you change things here you need to do accordingly in SecurityUtilTest::webShellTokensTesting and run "gradlew test" -- + python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,\ + ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami #-- Popup last-visited time from database after user has logged in. #-- So users can know of any unauthorised access to their accounts.