Hi Jacques, Wasn't there PHP code in the scrum application/ component to work with a git repository?
Or was that Python? Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) < j...@apache.org>: > > [ > https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487028#comment-17487028 > ] > > ASF subversion and git services commented on OFBIZ-11948: > --------------------------------------------------------- > > Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's > branch refs/heads/trunk from Jacques Le Roux > [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ] > > Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948) > > Lion Tree <liontree0...@gmail.com> has reported us that > "CVE-2020-1938 is not fully fixed". > > Though it was fixed by OFBIZ-11407, it still possible for an authenticated > user > to upload a webshell included in an image using one of the upload > possibilities > in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the uploads", > but > was still incomplete. > > This enforces the secured uploads by > * checking in SecuredUpload::isValidImageFile that a webshell is not > embedded in > an image. > * Keeping only "<%" as a denied token for JSP webshells, instead of > currently > "<%@ page" > * Adds "application/text/x-ruby" to SecuredUpload::isExecutable > > Also > * Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all, > it's often installed on servers. > * Removes "import=\"java" and "runtime.getruntime().exec(". They are no > longer useful since "<%" and "<jsp" block them. > * Remove php token since I'll put "<?" in. > * Adds "#!", rather than adding other shebangs like perl,python and ruby > > This will make deniedWebShellTokens more understandable. > > But I'm conscious that despite SecuredUpload::isExecutableI I still need to > better handle encoded webshells. I'll do that soon in a second approach. > > I'll also certainly more prune PHP related tokens. > > Thanks: Lion Tree for report > > > > Remote Code Execution (File Upload) Vulnerability > > ------------------------------------------------- > > > > Key: OFBIZ-11948 > > URL: https://issues.apache.org/jira/browse/OFBIZ-11948 > > Project: OFBiz > > Issue Type: Sub-task > > Components: product/catalog > > Affects Versions: Trunk, 17.12.04, 18.12.01 > > Reporter: Jacques Le Roux > > Assignee: Jacques Le Roux > > Priority: Major > > Fix For: 17.12.05, 18.12.01 > > > > > > Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability > to the OFBiz security team, and we thank him for that. > > I'll later quote here his email message when the vulnerability will be > fixed. It's a post-auth vulnerability so we did not ask for a CVE. > > > > -- > This message was sent by Atlassian Jira > (v8.20.1#820001) >
