[
https://issues.apache.org/jira/browse/OFBIZ-12315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-12315:
------------------------------------
Description:
This post-auth security issue was reported to the security team by weinull orz
<[email protected]>
{quote}Hi,I found an arbitrary file read vulnerability in OFBiz,through this
vulnerability, you can read system sensitive files and application
configuration files (including database account passwords and other
configurations)
URL:
[content/control/updateLayoutSubContent|https://xxx/content/control/updateLayoutSubContent]
Content -> Template -> Create New
!截屏2021-08-14 03.31.07.png!
OFBIz version: 17.12.08
Vulnerability Repair:
Strictly restrict accessible files.
Orz Team of weinull
{quote}
was:This post-auth security issue was reported to the security team by
weinull orz <[email protected]>
> OFBiz Arbitrary file read vulnerability
> ---------------------------------------
>
> Key: OFBIZ-12315
> URL: https://issues.apache.org/jira/browse/OFBIZ-12315
> Project: OFBiz
> Issue Type: Bug
> Components: content
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Attachments: 截屏2021-08-14 03.31.07.png
>
>
> This post-auth security issue was reported to the security team by weinull
> orz <[email protected]>
> {quote}Hi,I found an arbitrary file read vulnerability in OFBiz,through this
> vulnerability, you can read system sensitive files and application
> configuration files (including database account passwords and other
> configurations)
> URL:
>
> [content/control/updateLayoutSubContent|https://xxx/content/control/updateLayoutSubContent]
> Content -> Template -> Create New
> !截屏2021-08-14 03.31.07.png!
> OFBIz version: 17.12.08
> Vulnerability Repair:
> Strictly restrict accessible files.
> Orz Team of weinull
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
