[
https://issues.apache.org/jira/browse/OFBIZ-13092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17912570#comment-17912570
]
Mekika Leila edited comment on OFBIZ-13092 at 1/13/25 3:22 PM:
---------------------------------------------------------------
Hello [~jleroux] , I've got a strange issue that seems caused by one of this
Jira modification:
On demo environment, when clicking on several sort field links, a '{*}For
security reason this URL is not accepted{*}' error is thrown.
For instance, if you perform a search on [find party
screen|https://demo-stable.ofbiz.apache.org/partymgr/control/findparty] and try
to sort by partyId, createdDate or else, you qill get this message.
!image-2025-01-13-16-18-46-537.png!
I tried to reproduce it in a local trunk environment without success : the
uRIFiltered and the initialURI are the same.
But on a deployed project where we encounter the same issue, i did a remote
debug and from what i saw, the problem was that the initialURI retrieved by the
controlFilter still has semicolon in it. As the uRIFiltered is removed from its
semicolon, the comparison failed and the error is returned.
We fixed it by removing the
{color:#cccccc}.{color}{color:#a7ec21}replaceAll{color}{color:#f9faf4}({color}{color:#17c6a3}";"{color}{color:#e6e6fa},{color}{color:#d9e8f7}
{color}{color:#17c6a3}""{color}{color:#f9faf4}){color} in the construction of
the uRIFiltered but i would like to know what was it for in the first place. Do
you have some use cases where the absence of this replace was blocking and non
secure ?
was (Author: mleila):
Hello [~jleroux] , I've got a strange issue that seems caused by one of this
Jira modification:
On demo environment, when clicking on several sort field links, a '{*}For
security reason this URL is not accepted{*}' error is thrown.
For instance, if you go on[find party
screen|https://demo-stable.ofbiz.apache.org/partymgr/control/findparty] and try
to sort by partyId, createdDate or else, you qill get this message.
!image-2025-01-13-16-18-46-537.png!
I tried to reproduce it in a local trunk environment without success : the
uRIFiltered and the initialURI are the same.
But on a deployed project where we encounter the same issue, i did a remote
debug and from what i saw, the problem was that the initialURI retrieved by the
controlFilter still has semicolon in it. As the uRIFiltered is removed from its
semicolon, the comparison failed and the error is returned.
We fixed it by removing the
{color:#cccccc}.{color}{color:#a7ec21}replaceAll{color}{color:#f9faf4}({color}{color:#17c6a3}";"{color}{color:#e6e6fa},{color}{color:#d9e8f7}
{color}{color:#17c6a3}""{color}{color:#f9faf4}){color} in the construction of
the uRIFiltered but i would like to know what was it for in the first place. Do
you have some use cases where the absence of this replace was blocking and non
secure ?
> [SECURITY] (CVE-2024-36104) Path traversal leading to RCE
> ---------------------------------------------------------
>
> Key: OFBIZ-13092
> URL: https://issues.apache.org/jira/browse/OFBIZ-13092
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webapp
> Affects Versions: 18.12.14
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.14
>
> Attachments: image-2025-01-13-16-10-01-639.png,
> image-2025-01-13-16-18-46-537.png
>
>
> Better avoid special encoded characters sequences
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
