[jira] [Commented] (OFBIZ-13092) [SECURITY] (CVE-2024-36104) Path traversal leading to RCE

Mon, 13 Jan 2025 07:20:41 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-13092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17912570#comment-17912570
 ] 

Mekika Leila commented on OFBIZ-13092:
--------------------------------------

Hello [~jleroux] , I've got a strange issue that seems caused by one of this 
Jira modification:
On demo environment, when clicking on several  sort field links, a '{*}For 
security reason this URL is not accepted{*}' error is thrown.

For instance, if you go on [find party 
screen|[https://demo-stable.ofbiz.apache.org/partymgr/control/findparty|https://demo-stable.ofbiz.apache.org/partymgr/control/findparty']]
  and try to sort by partyId, createdDate or else, you qill get this message.

!image-2025-01-13-16-18-46-537.png!


I tried to reproduce it in a local trunk environment without success : the  
uRIFiltered and the initialURI are the same.
But on a deployed project where we encounter the same issue, i did a remote 
debug and from what i saw, the problem was that the initialURI retrieved by the 
controlFilter still has semicolon in it. As the uRIFiltered is removed from its 
semicolon, the comparison failed and the error is returned.

We fixed it by removing the 
{color:#cccccc}{color:#e6e6fa}.{color}{color:#a7ec21}replaceAll{color}{color:#f9faf4}({color}{color:#17c6a3}";"{color}{color:#e6e6fa},{color}{color:#d9e8f7}
 {color}{color:#17c6a3}""{color}{color:#f9faf4}){color}{color} in the 
construction of the uRIFiltered but i would like to know what was it for in the 
first place. Do you have some use cases where the absence of this replace was 
blocking and non secure  ?

> [SECURITY] (CVE-2024-36104) Path traversal leading to RCE
> ---------------------------------------------------------
>
>                 Key: OFBIZ-13092
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-13092
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework/webapp
>    Affects Versions: 18.12.14
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.14
>
>         Attachments: image-2025-01-13-16-10-01-639.png, 
> image-2025-01-13-16-18-46-537.png
>
>
> Better avoid special encoded characters sequences 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to