[
https://issues.apache.org/jira/browse/OFBIZ-12315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-12315.
-----------------------------------
Resolution: Not A Problem
I must 1st say that this is not really an OFBiz bug but a sysadmin issue.
When the access files permission are rightly configured you should get
something like
bq. java.lang.IllegalArgumentException: Error running script at location
[component://content/groovyScripts/layout/EditSubContent.groovy]:
java.io.FileNotFoundException: /etc/sudoers.d (Permission denied)
This is what you get when you try to access the /etc/sudoers.d file on the
trunk demo using the reported issue. I tried several other files, notably on my
local OFBiz trunk instance on Win7 and got the same answer or responds like
bq. The Following Errors Occurred: For security reason only valid files of
supported image formats (GIF, JPEG, PNG, TIFF), SVG, PDF, and ZIP or text files
with safe names (only Alpha-Numeric characters, hyphen, underscore and spaces,
only 1 dot, name and extension not empty) and contents are accepted.
"Orz" has suggested to "strictly restrict accessible files." We know that deny
lists are non ending tasks.
So I'll close this task as won't fix and ask "Orz" if he can find a sensible
file that could be read on one of our demos. If there is at least one, then
I'll reopen and reconsider this issue...
Of course I warn our users about this issue. They can help if they find a
sensible readable file on their system to put in a possible deny list. But
frankly I don't expect much answers...
> OFBiz Arbitrary file read vulnerability
> ---------------------------------------
>
> Key: OFBIZ-12315
> URL: https://issues.apache.org/jira/browse/OFBIZ-12315
> Project: OFBiz
> Issue Type: Bug
> Components: content
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Attachments: 截屏2021-08-14 03.31.07.png
>
>
> This post-auth security issue was reported to the security team by weinull
> orz <[email protected]>
> {quote}Hi,I found an arbitrary file read vulnerability in OFBiz,through this
> vulnerability, you can read system sensitive files and application
> configuration files (including database account passwords and other
> configurations)
> URL:
>
> [content/control/updateLayoutSubContent|https://xxx/content/control/updateLayoutSubContent]
> Content -> Template -> Create New
> !截屏2021-08-14 03.31.07.png!
> OFBIz version: 17.12.08
> Vulnerability Repair:
> Strictly restrict accessible files.
> Orz Team of weinull
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
