[
https://issues.apache.org/jira/browse/OFBIZ-12558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17488761#comment-17488761
]
Jacques Le Roux edited comment on OFBIZ-12558 at 2/8/22, 12:17 PM:
-------------------------------------------------------------------
Hi Michael,
Yes I know, for security reason the current OOTB configuration only works with
localhost. I have that already documented and committed but not pushed, facing
other issues with SecuredUpoad. I'll soon push all...
was (Author: jacques.le.roux):
Hi Michael,
Yes I know, for secrutiy reason the current OOTB configuration only works with
localhost. I have that already documented and committed but not pushed, facing
other issues with SecuredUpoad. I'll soon push all...
> Possible authenticated attack related to Tomcat CVE-2020-1938
> -------------------------------------------------------------
>
> Key: OFBIZ-12558
> URL: https://issues.apache.org/jira/browse/OFBIZ-12558
> Project: OFBiz
> Issue Type: Sub-task
> Affects Versions: 18.12.05, Upcoming Branch
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> Lion Tree <liontree0...@gmail.com> has reported us that "CVE-2020-1938 is not
> fully fixed".
> Though it was fixed by OFBIZ-11407, it still possible for an authenticated
> user to upload a webshell included in an image using one of the OFBiz upload
> possibilities. That of course is not new and already covered by OFBIZ-12080
> "Secure the uploads", but was still incomplete.
> So this Jira covers 2 points:
> # Disable bypass of Tomcat due to setting in
> framework/catalina/ofbiz-component.xml
> # Enforce upload prevention of webshells, specifically but not only those
> included in images
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
