[
https://issues.apache.org/jira/browse/OFBIZ-12080?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17241397#comment-17241397
]
ASF subversion and git services commented on OFBIZ-12080:
---------------------------------------------------------
Commit 8b511e3c0b0c2c23a137a13cf0f976732386f862 in ofbiz-framework's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=8b511e3 ]
Fixed: Secure the uploads (OFBIZ-12080)
2020/08/10 the OFBiz security team received a security report by Harshit Shukla
<[email protected]>, roughly it was (quoting part of it to simplify):
<<I have identified a Remote Code Execution (RCE) Vulnerability. The reason
behind this RCE is lack of file extension check at
catalog/control/UploadCategoryImage?productCategoryId=CATALOG1_BEST_SELL&pload_file_type=category>>
Using this post-auth RCE in OFBiz demos, Harshit was able to get some AWS
credentials by uploading a webshell (based on [0]).
By security, it was then decided by the Infra and OFBiz security teams to shut
down the demos.
After discussing the elements reported with Mark J Cox (VP of ASF security team)
we in common decided that no CVE was necessary.
# Conflicts handled by hand:
#
applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java
#
applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
# applications/product/groovyScripts/catalog/category/EditCategory.groovy
#
applications/product/groovyScripts/catalog/config/EditProductConfigItemContent.groovy
#
applications/product/groovyScripts/catalog/imagemanagement/ImageUpload.groovy
#
applications/product/groovyScripts/catalog/imagemanagement/SetDefaultImage.groovy
#
applications/product/groovyScripts/catalog/product/EditProductContent.groovy
#
applications/product/src/main/java/org/apache/ofbiz/product/image/ScaleImage.java
#
applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
#
applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
#
applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
# build.gradle
# framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java
#
framework/base/src/main/java/org/apache/ofbiz/base/util/HttpRequestFileUpload.java
#
framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
# framework/security/config/security.properties
> Secure the uploads
> ------------------
>
> Key: OFBIZ-12080
> URL: https://issues.apache.org/jira/browse/OFBIZ-12080
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL APPLICATIONS, ALL PLUGINS
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> 2020/08/10 the OFBiz security team received a security report by Harshit
> Shukla <[email protected]>, roughly it was (quoting part of it to
> simplify):
> bq. I have identified a Remote Code Execution (RCE) Vulnerability. The reason
> behind this RCE is lack of file extension check at
> catalog/control/UploadCategoryImage?productCategoryId=CATALOG1_BEST_SELL&pload_file_type=category
> Using this post-auth RCE in OFBiz demos, Harshit was able to get some AWS
> credentials by uploading a webshell (based on [0]). By security, it was then
> decided by the Infra and OFBiz security teams to shut down the demos.
> After I decided we needed to secure all our uploads and not only checking
> extensions, I began to work on the vulnerablity. During this work I
> discovered, according to [1] and [2], that these AWS credentials are so far
> considered harmless.
> This post-auth RCE relies on the demo data. For a long time in our
> documentation, we warn our users to not use the demo data. Notably because
> they allow to sign in as an admin!
> After discussing twice these elements with Mark J Cox (VP of ASF security
> team) we in common decided that no CVE was necessary.
> [0] https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp
> [1]
> https://ibreak.software/2020/04/what-are-these-reserved-set-of-security-credentials-in-aws/
> [2] https://twitter.com/SpenGietz/status/1104198404471631872
> [3] https://awe.com/mark/history/index.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
