WilliamThomson created ISIS-3128:
------------------------------------
Summary: h2 database default provide web access and use
administator user maybe cause code execution
Key: ISIS-3128
URL: https://issues.apache.org/jira/browse/ISIS-3128
Project: Isis
Issue Type: Bug
Components: Isis Examples, Isis Examples Demo App
Affects Versions: 2.0.0-M7
Reporter: WilliamThomson
Attachments: 1.png, 2.png, 3.png
First of all: I am not sure if the service is intentionally set by the project.
But: As the current ISIS version (7.9.0) that is used by isis is vulnerable to
it, I guess it might be relevant to you.
h2 database external access is enabled and use SA admin user by default,
resulting in code execution
Access 127.0.0.1:8080/db , you can log in without additional username and
password. Because project permit SA login, like 1.png, 2.png
SA account can execute sql query, cause code execute, like 3.png
poc like this
CREATE ALIAS GET_SYSTEM_PROPERTY FOR "java.lang.System.getProperty";
CALL GET_SYSTEM_PROPERTY('java.class.path');
Even if h2 db web login is a normal servie, I think it needs to be set to
prohibit remote browse login
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
