Hi Jacques, in a posting above, you stated:
* Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all, and I remember that functionality introduced in the scrum application/component was in PHP (or Python) to 'manage' scrum artefacts in a git repository. I did not investigate the component further. That makes that 'Even if OFBiz does not use PHP at all' not entirely accurate. I just thought I mention it, to make you aware of this. And potentially an additional issue that needs to be addressed. Met vriendelijke groet, Pierre Smits *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since 2008 (without privileges) Proud contributor to the ASF since 2006 *Apache Directory <https://directory.apache.org>, PMC Member* Anyone could have been you, whereas I've always been anyone. On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux <jacques.le.r...@les7arts.com> wrote: > Hi Pierre, > > How is your question related? > > Le 04/02/2022 à 12:53, Pierre Smits a écrit : > > Hi Jacques, > > > > Wasn't there PHP code in the scrum application/ component to work with a > > git repository? > > > > Or was that Python? > > > > > > Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) < > > j...@apache.org>: > > > >> [ > >> > https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487028#comment-17487028 > >> ] > >> > >> ASF subversion and git services commented on OFBIZ-11948: > >> --------------------------------------------------------- > >> > >> Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's > >> branch refs/heads/trunk from Jacques Le Roux > >> [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ] > >> > >> Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948) > >> > >> Lion Tree <liontree0...@gmail.com> has reported us that > >> "CVE-2020-1938 is not fully fixed". > >> > >> Though it was fixed by OFBIZ-11407, it still possible for an > authenticated > >> user > >> to upload a webshell included in an image using one of the upload > >> possibilities > >> in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the > uploads", > >> but > >> was still incomplete. > >> > >> This enforces the secured uploads by > >> * checking in SecuredUpload::isValidImageFile that a webshell is not > >> embedded in > >> an image. > >> * Keeping only "<%" as a denied token for JSP webshells, instead of > >> currently > >> "<%@ page" > >> * Adds "application/text/x-ruby" to SecuredUpload::isExecutable > >> > >> Also > >> * Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all, > >> it's often installed on servers. > >> * Removes "import=\"java" and "runtime.getruntime().exec(". They are no > >> longer useful since "<%" and "<jsp" block them. > >> * Remove php token since I'll put "<?" in. > >> * Adds "#!", rather than adding other shebangs like perl,python and ruby > >> > >> This will make deniedWebShellTokens more understandable. > >> > >> But I'm conscious that despite SecuredUpload::isExecutableI I still > need to > >> better handle encoded webshells. I'll do that soon in a second approach. > >> > >> I'll also certainly more prune PHP related tokens. > >> > >> Thanks: Lion Tree for report > >> > >> > >>> Remote Code Execution (File Upload) Vulnerability > >>> ------------------------------------------------- > >>> > >>> Key: OFBIZ-11948 > >>> URL: > https://issues.apache.org/jira/browse/OFBIZ-11948 > >>> Project: OFBiz > >>> Issue Type: Sub-task > >>> Components: product/catalog > >>> Affects Versions: Trunk, 17.12.04, 18.12.01 > >>> Reporter: Jacques Le Roux > >>> Assignee: Jacques Le Roux > >>> Priority: Major > >>> Fix For: 17.12.05, 18.12.01 > >>> > >>> > >>> Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability > >> to the OFBiz security team, and we thank him for that. > >>> I'll later quote here his email message when the vulnerability will be > >> fixed. It's a post-auth vulnerability so we did not ask for a CVE. > >> > >> > >> > >> -- > >> This message was sent by Atlassian Jira > >> (v8.20.1#820001) > >> >
