Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

2022-02-04 Thread Jacques Le Roux 

We crossed on wire Michael :)

Le 04/02/2022 à 14:34, Michael Brohl a écrit :

The scrum component contains a Python script which is used together with git 
hooks.

So Jacques's statement was entirely accurate.

Michael

Am 04.02.22 um 14:15 schrieb Pierre Smits:

Hi Jacques,

in a posting above, you stated:

* Adds "https://ofbiz.apache.org/> since
2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory , PMC Member*

Anyone could have been you, whereas I've always been anyone.


On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux 
wrote:


Hi Pierre,

How is your question related?

Le 04/02/2022 à 12:53, Pierre Smits a écrit :

Hi Jacques,

Wasn't there PHP code in the scrum application/ component to work with a
git repository?

Or was that Python?


Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
j...@apache.org>:


  [

https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487028#comment-17487028 


]

ASF subversion and git services commented on OFBIZ-11948:
-

Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]

Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)

Lion Tree  has reported us that
"CVE-2020-1938 is not fully fixed".

Though it was fixed by OFBIZ-11407, it still possible for an

authenticated

user
to upload a webshell included in an image using one of the upload
possibilities
in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the

uploads",

but
was still incomplete.

This enforces the secured uploads by
* checking in SecuredUpload::isValidImageFile that a webshell is not
embedded in
an image.
* Keeping only "<%" as a denied token for JSP webshells, instead of
currently
"<%@ page"
* Adds "application/text/x-ruby" to SecuredUpload::isExecutable

Also
* Adds "
need to

better handle encoded webshells. I'll do that soon in a second approach.

I'll also certainly more prune PHP related tokens.

Thanks: Lion Tree for report



Remote Code Execution (File Upload) Vulnerability
-

  Key: OFBIZ-11948
  URL:

https://issues.apache.org/jira/browse/OFBIZ-11948

  Project: OFBiz
   Issue Type: Sub-task
   Components: product/catalog
 Affects Versions: Trunk, 17.12.04, 18.12.01
 Reporter: Jacques Le Roux
 Assignee: Jacques Le Roux
 Priority: Major
  Fix For: 17.12.05, 18.12.01


Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability

to the OFBiz security team, and we thank him for that.

I'll later quote here his email message when the vulnerability will be

fixed. It's a post-auth vulnerability so we did not ask for a CVE.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

2022-02-04 Thread Jacques Le Roux 
Ah OK, then this sentence was inappropriate, nothing more. Actually the idea, from a security POV, is to add "security.properties::deniedWebShellTokens to neutralise non encoded PHP webshells.


Mmm, I just checked. It's about python: 
https://github.com/apache/ofbiz-plugins/tree/trunk/scrum/data/hookscripts

Anyway this does not add anything since I have also added <<"#!", rather than adding other shebangs for perl,python and ruby>>, still to neutralise 
only non encoded webshells.


You would have certainly understood that I'm still working on encoded 
webshells...

HTH

Le 04/02/2022 à 14:15, Pierre Smits a écrit :

Hi Jacques,

in a posting above, you stated:

* Adds "https://ofbiz.apache.org/> since
2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory , PMC Member*

Anyone could have been you, whereas I've always been anyone.


On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux 
wrote:


Hi Pierre,

How is your question related?

Le 04/02/2022 à 12:53, Pierre Smits a écrit :

Hi Jacques,

Wasn't there PHP code in the scrum application/ component to work with a
git repository?

Or was that Python?


Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
j...@apache.org>:


  [


https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487028#comment-17487028

]

ASF subversion and git services commented on OFBIZ-11948:
-

Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]

Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)

Lion Tree  has reported us that
"CVE-2020-1938 is not fully fixed".

Though it was fixed by OFBIZ-11407, it still possible for an

authenticated

user
to upload a webshell included in an image using one of the upload
possibilities
in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the

uploads",

but
was still incomplete.

This enforces the secured uploads by
* checking in SecuredUpload::isValidImageFile that a webshell is not
embedded in
an image.
* Keeping only "<%" as a denied token for JSP webshells, instead of
currently
"<%@ page"
* Adds "application/text/x-ruby" to SecuredUpload::isExecutable

Also
* Adds "
need to

better handle encoded webshells. I'll do that soon in a second approach.

I'll also certainly more prune PHP related tokens.

Thanks: Lion Tree for report



Remote Code Execution (File Upload) Vulnerability
-

  Key: OFBIZ-11948
  URL:

https://issues.apache.org/jira/browse/OFBIZ-11948

  Project: OFBiz
   Issue Type: Sub-task
   Components: product/catalog
 Affects Versions: Trunk, 17.12.04, 18.12.01
 Reporter: Jacques Le Roux
 Assignee: Jacques Le Roux
 Priority: Major
  Fix For: 17.12.05, 18.12.01


Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability

to the OFBiz security team, and we thank him for that.

I'll later quote here his email message when the vulnerability will be

fixed. It's a post-auth vulnerability so we did not ask for a CVE.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

2022-02-04 Thread Michael Brohl 
The scrum component contains a Python script which is used together with 
git hooks.


So Jacques's statement was entirely accurate.

Michael

Am 04.02.22 um 14:15 schrieb Pierre Smits:

Hi Jacques,

in a posting above, you stated:

* Adds "https://ofbiz.apache.org/> since
2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory , PMC Member*

Anyone could have been you, whereas I've always been anyone.


On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux 
wrote:


Hi Pierre,

How is your question related?

Le 04/02/2022 à 12:53, Pierre Smits a écrit :

Hi Jacques,

Wasn't there PHP code in the scrum application/ component to work with a
git repository?

Or was that Python?


Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
j...@apache.org>:


  [


https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487028#comment-17487028

]

ASF subversion and git services commented on OFBIZ-11948:
-

Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]

Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)

Lion Tree  has reported us that
"CVE-2020-1938 is not fully fixed".

Though it was fixed by OFBIZ-11407, it still possible for an

authenticated

user
to upload a webshell included in an image using one of the upload
possibilities
in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the

uploads",

but
was still incomplete.

This enforces the secured uploads by
* checking in SecuredUpload::isValidImageFile that a webshell is not
embedded in
an image.
* Keeping only "<%" as a denied token for JSP webshells, instead of
currently
"<%@ page"
* Adds "application/text/x-ruby" to SecuredUpload::isExecutable

Also
* Adds "
need to

better handle encoded webshells. I'll do that soon in a second approach.

I'll also certainly more prune PHP related tokens.

Thanks: Lion Tree for report



Remote Code Execution (File Upload) Vulnerability
-

  Key: OFBIZ-11948
  URL:

https://issues.apache.org/jira/browse/OFBIZ-11948

  Project: OFBiz
   Issue Type: Sub-task
   Components: product/catalog
 Affects Versions: Trunk, 17.12.04, 18.12.01
 Reporter: Jacques Le Roux
 Assignee: Jacques Le Roux
 Priority: Major
  Fix For: 17.12.05, 18.12.01


Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability

to the OFBiz security team, and we thank him for that.

I'll later quote here his email message when the vulnerability will be

fixed. It's a post-auth vulnerability so we did not ask for a CVE.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Fwd: [GitHub] [ofbiz-framework] mbrohl commented on pull request #498: Improved: WorkEffort - MainActionMenu (OFBIZ-12557)

2022-02-04 Thread Jacques Le Roux 

Pierre,

I did not receive your message in dev ML, certainly due to my too much Thunderbird Filters or maybe something else, strange things happen with mails 
sometimes.


So it's here forwarded expurged from exchanges in members private ML with last 
line slightly modified.

HTH


 Message transféré 
Sujet : Re: [GitHub] [ofbiz-framework] mbrohl commented on pull request 
#498: Improved: WorkEffort - MainActionMenu (OFBIZ-12557)
Date :  Fri, 4 Feb 2022 11:01:16 +0100
De :Jacques Le Roux 
Répondre à :memb...@apache.org
Pour :  memb...@apache.org


Hi Pierre,

You missed the point. You confuse changes and history. The problem here is mixing formatting and code changes complicates the reviews, nothing more. I 
trust it's just laziness and you are not doing that on purpose. But I begin to seriously doubt.


In your point 3 reference I then gave my opinion. I notably said to to Michael:

<>

I thought you would be reasonable enough to understand it's more review work for committers. And would accept to change (I guess) your blank lines 
removing automated setting and rebuild few PRs.  It's a pity you preferred to escalate, exposing this problem to all members.


This said in the past, we already, a number of times, used regexps to globally change things in code. We could do that again and establish a new rule 
that would be covered by the build blocking checkstyle Gradle task, hence blocking PRs and commits with no blank lines in some part of code. Rarely 
but sometimes something must be done in code


I did not said I'll do that, it would take much time (tests and failures), just 
the kind of escalation that would seem more appropriate to me.

 I embrace "community over code" but sorry I don't think you are going in the 
right direction.

Jacques



On Thu, Feb 3, 2022 at 4:57 PM Pierre Smits  
wrote:

Indeed, Michael. That was what you said  in comments regarding:

 1. https://github.com/apache/ofbiz-framework/pull/481
 2. https://github.com/apache/ofbiz-framework/pull/482
 3. https://github.com/apache/ofbiz-framework/pull/483

and now again in https://github.com/apache/ofbiz-framework/pull/498

What is this RULE of yours that fellow volunteering contributors 
MUST comply with in order to have their improvements go into the codebase:

Is


it


single


line


spacing,


*or*


Is


ig


double


line


spacing?


It must surely feel very frustrating and annoying (even maybe 
painful?) when YOU look at code in the OFBiz repositories and the majority
of that code not having the single or double line spacing that you 
want.
How unfortunate that all those contributors of code improvements 
over the past 15 years of this project's existence (including you,
contributing for as long as that, as your claimed elsewhere) 
violated that RULE of yours (that you brought forward just 11 days ago).

If the code of OFBiz (and improvements thereon) give you so much 
difficulties to read, maybe there are some helpful tools available for
you to continue to bring your valuable contributions to improve 
this project and its works? Or maybe it is time to call it quits?


Met vriendelijke groet,

Pierre Smits
*Proud* *contributor** of* Apache OFBiz  
since 2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory , PMC Member*
*
*
Anyone could have been you, whereas I've always been anyone.


On Thu, Feb 3, 2022 at 8:12 PM GitBox  wrote:


mbrohl commented on pull request #498:
URL: 
https://github.com/apache/ofbiz-framework/pull/498#issuecomment-1029313372


   As said before, the removal of blank lines between sections 
makes the files harder to read.


-- 
This is an automated message from the Apache Git Service.

To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: 
notifications-unsubscr...@ofbiz.apache.org

For queries about this service, please contact Infrastructure 
at:
us...@infra.apache.org

Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

2022-02-04 Thread Pierre Smits 
Hi Jacques,

in a posting above, you stated:

* Adds "https://ofbiz.apache.org/> since
2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory , PMC Member*

Anyone could have been you, whereas I've always been anyone.


On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux 
wrote:

> Hi Pierre,
>
> How is your question related?
>
> Le 04/02/2022 à 12:53, Pierre Smits a écrit :
> > Hi Jacques,
> >
> > Wasn't there PHP code in the scrum application/ component to work with a
> > git repository?
> >
> > Or was that Python?
> >
> >
> > Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
> > j...@apache.org>:
> >
> >>  [
> >>
> https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487028#comment-17487028
> >> ]
> >>
> >> ASF subversion and git services commented on OFBIZ-11948:
> >> -
> >>
> >> Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
> >> branch refs/heads/trunk from Jacques Le Roux
> >> [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]
> >>
> >> Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
> >>
> >> Lion Tree  has reported us that
> >> "CVE-2020-1938 is not fully fixed".
> >>
> >> Though it was fixed by OFBIZ-11407, it still possible for an
> authenticated
> >> user
> >> to upload a webshell included in an image using one of the upload
> >> possibilities
> >> in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the
> uploads",
> >> but
> >> was still incomplete.
> >>
> >> This enforces the secured uploads by
> >> * checking in SecuredUpload::isValidImageFile that a webshell is not
> >> embedded in
> >> an image.
> >> * Keeping only "<%" as a denied token for JSP webshells, instead of
> >> currently
> >> "<%@ page"
> >> * Adds "application/text/x-ruby" to SecuredUpload::isExecutable
> >>
> >> Also
> >> * Adds " >> it's often installed on servers.
> >> * Removes "import=\"java" and "runtime.getruntime().exec(". They are no
> >> longer useful since "<%" and " >> * Remove php token since I'll put " >> * Adds "#!", rather than adding other shebangs like perl,python and ruby
> >>
> >> This will make deniedWebShellTokens more understandable.
> >>
> >> But I'm conscious that despite SecuredUpload::isExecutableI I still
> need to
> >> better handle encoded webshells. I'll do that soon in a second approach.
> >>
> >> I'll also certainly more prune PHP related tokens.
> >>
> >> Thanks: Lion Tree for report
> >>
> >>
> >>> Remote Code Execution (File Upload) Vulnerability
> >>> -
> >>>
> >>>  Key: OFBIZ-11948
> >>>  URL:
> https://issues.apache.org/jira/browse/OFBIZ-11948
> >>>  Project: OFBiz
> >>>   Issue Type: Sub-task
> >>>   Components: product/catalog
> >>> Affects Versions: Trunk, 17.12.04, 18.12.01
> >>> Reporter: Jacques Le Roux
> >>> Assignee: Jacques Le Roux
> >>> Priority: Major
> >>>  Fix For: 17.12.05, 18.12.01
> >>>
> >>>
> >>> Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability
> >> to the OFBiz security team, and we thank him for that.
> >>> I'll later quote here his email message when the vulnerability will be
> >> fixed. It's a post-auth vulnerability so we did not ask for a CVE.
> >>
> >>
> >>
> >> --
> >> This message was sent by Atlassian Jira
> >> (v8.20.1#820001)
> >>
>

Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

2022-02-04 Thread Jacques Le Roux 

Hi Pierre,

How is your question related?

Le 04/02/2022 à 12:53, Pierre Smits a écrit :

Hi Jacques,

Wasn't there PHP code in the scrum application/ component to work with a
git repository?

Or was that Python?


Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
j...@apache.org>:


 [
https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487028#comment-17487028
]

ASF subversion and git services commented on OFBIZ-11948:
-

Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]

Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)

Lion Tree  has reported us that
"CVE-2020-1938 is not fully fixed".

Though it was fixed by OFBIZ-11407, it still possible for an authenticated
user
to upload a webshell included in an image using one of the upload
possibilities
in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the uploads",
but
was still incomplete.

This enforces the secured uploads by
* checking in SecuredUpload::isValidImageFile that a webshell is not
embedded in
an image.
* Keeping only "<%" as a denied token for JSP webshells, instead of
currently
"<%@ page"
* Adds "application/text/x-ruby" to SecuredUpload::isExecutable

Also
* Adds "
Remote Code Execution (File Upload) Vulnerability
-

 Key: OFBIZ-11948
 URL: https://issues.apache.org/jira/browse/OFBIZ-11948
 Project: OFBiz
  Issue Type: Sub-task
  Components: product/catalog
Affects Versions: Trunk, 17.12.04, 18.12.01
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
Priority: Major
 Fix For: 17.12.05, 18.12.01


Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability

to the OFBiz security team, and we thank him for that.

I'll later quote here his email message when the vulnerability will be

fixed. It's a post-auth vulnerability so we did not ask for a CVE.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

2022-02-04 Thread Pierre Smits 
Hi Jacques,

Wasn't there PHP code in the scrum application/ component to work with a
git repository?

Or was that Python?


Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
j...@apache.org>:

>
> [
> https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487028#comment-17487028
> ]
>
> ASF subversion and git services commented on OFBIZ-11948:
> -
>
> Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
> branch refs/heads/trunk from Jacques Le Roux
> [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]
>
> Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
>
> Lion Tree  has reported us that
> "CVE-2020-1938 is not fully fixed".
>
> Though it was fixed by OFBIZ-11407, it still possible for an authenticated
> user
> to upload a webshell included in an image using one of the upload
> possibilities
> in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the uploads",
> but
> was still incomplete.
>
> This enforces the secured uploads by
> * checking in SecuredUpload::isValidImageFile that a webshell is not
> embedded in
> an image.
> * Keeping only "<%" as a denied token for JSP webshells, instead of
> currently
> "<%@ page"
> * Adds "application/text/x-ruby" to SecuredUpload::isExecutable
>
> Also
> * Adds " it's often installed on servers.
> * Removes "import=\"java" and "runtime.getruntime().exec(". They are no
> longer useful since "<%" and " * Remove php token since I'll put " * Adds "#!", rather than adding other shebangs like perl,python and ruby
>
> This will make deniedWebShellTokens more understandable.
>
> But I'm conscious that despite SecuredUpload::isExecutableI I still need to
> better handle encoded webshells. I'll do that soon in a second approach.
>
> I'll also certainly more prune PHP related tokens.
>
> Thanks: Lion Tree for report
>
>
> > Remote Code Execution (File Upload) Vulnerability
> > -
> >
> > Key: OFBIZ-11948
> > URL: https://issues.apache.org/jira/browse/OFBIZ-11948
> > Project: OFBiz
> >  Issue Type: Sub-task
> >  Components: product/catalog
> >Affects Versions: Trunk, 17.12.04, 18.12.01
> >Reporter: Jacques Le Roux
> >Assignee: Jacques Le Roux
> >Priority: Major
> > Fix For: 17.12.05, 18.12.01
> >
> >
> > Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability
> to the OFBiz security team, and we thank him for that.
> > I'll later quote here his email message when the vulnerability will be
> fixed. It's a post-auth vulnerability so we did not ask for a CVE.
>
>
>
> --
> This message was sent by Atlassian Jira
> (v8.20.1#820001)
>