[
https://issues.apache.org/jira/browse/OFBIZ-13092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17912625#comment-17912625
]
ASF subversion and git services commented on OFBIZ-13092:
---------------------------------------------------------
Commit 959799bf039dd41c3ed854526a89868ed19b9832 in ofbiz-framework's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=959799bf03 ]
Fixed: [SECURITY] (CVE-2024-36104) Path traversal leading to RCE (OFBIZ-13092)
As reported by Leïla, <<if you perform a search on find party screen and try to
sort by partyId, createdDate or else, you qill get this message.
"For security reason this URL is not accepted"
The problem was that the initialURI retrieved by the controlFilter still has
semicolon in it. As the uRIFiltered is removed from its semicolon, the
comparison failed and the error is returned.>>
This was due to the use of URLDecoder::decode below but not on the line
that is now fixed by this commit.
I guess it extends to all such cases; ie URLs that use sorting and such,
possibly using js at some point. I did not get further.
> [SECURITY] (CVE-2024-36104) Path traversal leading to RCE
> ---------------------------------------------------------
>
> Key: OFBIZ-13092
> URL: https://issues.apache.org/jira/browse/OFBIZ-13092
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webapp
> Affects Versions: 18.12.14
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.14
>
> Attachments: image-2025-01-13-16-10-01-639.png,
> image-2025-01-13-16-18-46-537.png
>
>
> Better avoid special encoded characters sequences
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
