Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

2022-02-04 Thread Jacques Le Roux 

We crossed on wire Michael :)

Le 04/02/2022 à 14:34, Michael Brohl a écrit :

The scrum component contains a Python script which is used together with git 
hooks.

So Jacques's statement was entirely accurate.

Michael

Am 04.02.22 um 14:15 schrieb Pierre Smits:

Hi Jacques,

in a posting above, you stated:

* Adds "https://ofbiz.apache.org/> since
2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory , PMC Member*

Anyone could have been you, whereas I've always been anyone.


On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux 
wrote:


Hi Pierre,

How is your question related?

Le 04/02/2022 à 12:53, Pierre Smits a écrit :

Hi Jacques,

Wasn't there PHP code in the scrum application/ component to work with a
git repository?

Or was that Python?


Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
j...@apache.org>:


  [

https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487028#comment-17487028 


]

ASF subversion and git services commented on OFBIZ-11948:
-

Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]

Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)

Lion Tree  has reported us that
"CVE-2020-1938 is not fully fixed".

Though it was fixed by OFBIZ-11407, it still possible for an

authenticated

user
to upload a webshell included in an image using one of the upload
possibilities
in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the

uploads",

but
was still incomplete.

This enforces the secured uploads by
* checking in SecuredUpload::isValidImageFile that a webshell is not
embedded in
an image.
* Keeping only "<%" as a denied token for JSP webshells, instead of
currently
"<%@ page"
* Adds "application/text/x-ruby" to SecuredUpload::isExecutable

Also
* Adds "
need to

better handle encoded webshells. I'll do that soon in a second approach.

I'll also certainly more prune PHP related tokens.

Thanks: Lion Tree for report



Remote Code Execution (File Upload) Vulnerability
-

  Key: OFBIZ-11948
  URL:

https://issues.apache.org/jira/browse/OFBIZ-11948

  Project: OFBiz
   Issue Type: Sub-task
   Components: product/catalog
 Affects Versions: Trunk, 17.12.04, 18.12.01
 Reporter: Jacques Le Roux
 Assignee: Jacques Le Roux
 Priority: Major
  Fix For: 17.12.05, 18.12.01


Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability

to the OFBiz security team, and we thank him for that.

I'll later quote here his email message when the vulnerability will be

fixed. It's a post-auth vulnerability so we did not ask for a CVE.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

2022-02-04 Thread Jacques Le Roux 
Ah OK, then this sentence was inappropriate, nothing more. Actually the idea, from a security POV, is to add "security.properties::deniedWebShellTokens to neutralise non encoded PHP webshells.


Mmm, I just checked. It's about python: 
https://github.com/apache/ofbiz-plugins/tree/trunk/scrum/data/hookscripts

Anyway this does not add anything since I have also added <<"#!", rather than adding other shebangs for perl,python and ruby>>, still to neutralise 
only non encoded webshells.


You would have certainly understood that I'm still working on encoded 
webshells...

HTH

Le 04/02/2022 à 14:15, Pierre Smits a écrit :

Hi Jacques,

in a posting above, you stated:

* Adds "https://ofbiz.apache.org/> since
2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory , PMC Member*

Anyone could have been you, whereas I've always been anyone.


On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux 
wrote:


Hi Pierre,

How is your question related?

Le 04/02/2022 à 12:53, Pierre Smits a écrit :

Hi Jacques,

Wasn't there PHP code in the scrum application/ component to work with a
git repository?

Or was that Python?


Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
j...@apache.org>:


  [


https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487028#comment-17487028

]

ASF subversion and git services commented on OFBIZ-11948:
-

Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]

Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)

Lion Tree  has reported us that
"CVE-2020-1938 is not fully fixed".

Though it was fixed by OFBIZ-11407, it still possible for an

authenticated

user
to upload a webshell included in an image using one of the upload
possibilities
in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the

uploads",

but
was still incomplete.

This enforces the secured uploads by
* checking in SecuredUpload::isValidImageFile that a webshell is not
embedded in
an image.
* Keeping only "<%" as a denied token for JSP webshells, instead of
currently
"<%@ page"
* Adds "application/text/x-ruby" to SecuredUpload::isExecutable

Also
* Adds "
need to

better handle encoded webshells. I'll do that soon in a second approach.

I'll also certainly more prune PHP related tokens.

Thanks: Lion Tree for report



Remote Code Execution (File Upload) Vulnerability
-

  Key: OFBIZ-11948
  URL:

https://issues.apache.org/jira/browse/OFBIZ-11948

  Project: OFBiz
   Issue Type: Sub-task
   Components: product/catalog
 Affects Versions: Trunk, 17.12.04, 18.12.01
 Reporter: Jacques Le Roux
 Assignee: Jacques Le Roux
 Priority: Major
  Fix For: 17.12.05, 18.12.01


Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability

to the OFBiz security team, and we thank him for that.

I'll later quote here his email message when the vulnerability will be

fixed. It's a post-auth vulnerability so we did not ask for a CVE.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

2022-02-04 Thread Michael Brohl 
The scrum component contains a Python script which is used together with 
git hooks.


So Jacques's statement was entirely accurate.

Michael

Am 04.02.22 um 14:15 schrieb Pierre Smits:

Hi Jacques,

in a posting above, you stated:

* Adds "https://ofbiz.apache.org/> since
2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory , PMC Member*

Anyone could have been you, whereas I've always been anyone.


On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux 
wrote:


Hi Pierre,

How is your question related?

Le 04/02/2022 à 12:53, Pierre Smits a écrit :

Hi Jacques,

Wasn't there PHP code in the scrum application/ component to work with a
git repository?

Or was that Python?


Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
j...@apache.org>:


  [


https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487028#comment-17487028

]

ASF subversion and git services commented on OFBIZ-11948:
-

Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]

Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)

Lion Tree  has reported us that
"CVE-2020-1938 is not fully fixed".

Though it was fixed by OFBIZ-11407, it still possible for an

authenticated

user
to upload a webshell included in an image using one of the upload
possibilities
in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the

uploads",

but
was still incomplete.

This enforces the secured uploads by
* checking in SecuredUpload::isValidImageFile that a webshell is not
embedded in
an image.
* Keeping only "<%" as a denied token for JSP webshells, instead of
currently
"<%@ page"
* Adds "application/text/x-ruby" to SecuredUpload::isExecutable

Also
* Adds "
need to

better handle encoded webshells. I'll do that soon in a second approach.

I'll also certainly more prune PHP related tokens.

Thanks: Lion Tree for report



Remote Code Execution (File Upload) Vulnerability
-

  Key: OFBIZ-11948
  URL:

https://issues.apache.org/jira/browse/OFBIZ-11948

  Project: OFBiz
   Issue Type: Sub-task
   Components: product/catalog
 Affects Versions: Trunk, 17.12.04, 18.12.01
 Reporter: Jacques Le Roux
 Assignee: Jacques Le Roux
 Priority: Major
  Fix For: 17.12.05, 18.12.01


Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability

to the OFBiz security team, and we thank him for that.

I'll later quote here his email message when the vulnerability will be

fixed. It's a post-auth vulnerability so we did not ask for a CVE.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

2022-02-04 Thread Pierre Smits 
Hi Jacques,

in a posting above, you stated:

* Adds "https://ofbiz.apache.org/> since
2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory , PMC Member*

Anyone could have been you, whereas I've always been anyone.


On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux 
wrote:

> Hi Pierre,
>
> How is your question related?
>
> Le 04/02/2022 à 12:53, Pierre Smits a écrit :
> > Hi Jacques,
> >
> > Wasn't there PHP code in the scrum application/ component to work with a
> > git repository?
> >
> > Or was that Python?
> >
> >
> > Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
> > j...@apache.org>:
> >
> >>  [
> >>
> https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487028#comment-17487028
> >> ]
> >>
> >> ASF subversion and git services commented on OFBIZ-11948:
> >> -
> >>
> >> Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
> >> branch refs/heads/trunk from Jacques Le Roux
> >> [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]
> >>
> >> Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
> >>
> >> Lion Tree  has reported us that
> >> "CVE-2020-1938 is not fully fixed".
> >>
> >> Though it was fixed by OFBIZ-11407, it still possible for an
> authenticated
> >> user
> >> to upload a webshell included in an image using one of the upload
> >> possibilities
> >> in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the
> uploads",
> >> but
> >> was still incomplete.
> >>
> >> This enforces the secured uploads by
> >> * checking in SecuredUpload::isValidImageFile that a webshell is not
> >> embedded in
> >> an image.
> >> * Keeping only "<%" as a denied token for JSP webshells, instead of
> >> currently
> >> "<%@ page"
> >> * Adds "application/text/x-ruby" to SecuredUpload::isExecutable
> >>
> >> Also
> >> * Adds " >> it's often installed on servers.
> >> * Removes "import=\"java" and "runtime.getruntime().exec(". They are no
> >> longer useful since "<%" and " >> * Remove php token since I'll put " >> * Adds "#!", rather than adding other shebangs like perl,python and ruby
> >>
> >> This will make deniedWebShellTokens more understandable.
> >>
> >> But I'm conscious that despite SecuredUpload::isExecutableI I still
> need to
> >> better handle encoded webshells. I'll do that soon in a second approach.
> >>
> >> I'll also certainly more prune PHP related tokens.
> >>
> >> Thanks: Lion Tree for report
> >>
> >>
> >>> Remote Code Execution (File Upload) Vulnerability
> >>> -
> >>>
> >>>  Key: OFBIZ-11948
> >>>  URL:
> https://issues.apache.org/jira/browse/OFBIZ-11948
> >>>  Project: OFBiz
> >>>   Issue Type: Sub-task
> >>>   Components: product/catalog
> >>> Affects Versions: Trunk, 17.12.04, 18.12.01
> >>> Reporter: Jacques Le Roux
> >>> Assignee: Jacques Le Roux
> >>> Priority: Major
> >>>  Fix For: 17.12.05, 18.12.01
> >>>
> >>>
> >>> Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability
> >> to the OFBiz security team, and we thank him for that.
> >>> I'll later quote here his email message when the vulnerability will be
> >> fixed. It's a post-auth vulnerability so we did not ask for a CVE.
> >>
> >>
> >>
> >> --
> >> This message was sent by Atlassian Jira
> >> (v8.20.1#820001)
> >>
>

Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

2022-02-04 Thread Jacques Le Roux 

Hi Pierre,

How is your question related?

Le 04/02/2022 à 12:53, Pierre Smits a écrit :

Hi Jacques,

Wasn't there PHP code in the scrum application/ component to work with a
git repository?

Or was that Python?


Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
j...@apache.org>:


 [
https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487028#comment-17487028
]

ASF subversion and git services commented on OFBIZ-11948:
-

Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]

Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)

Lion Tree  has reported us that
"CVE-2020-1938 is not fully fixed".

Though it was fixed by OFBIZ-11407, it still possible for an authenticated
user
to upload a webshell included in an image using one of the upload
possibilities
in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the uploads",
but
was still incomplete.

This enforces the secured uploads by
* checking in SecuredUpload::isValidImageFile that a webshell is not
embedded in
an image.
* Keeping only "<%" as a denied token for JSP webshells, instead of
currently
"<%@ page"
* Adds "application/text/x-ruby" to SecuredUpload::isExecutable

Also
* Adds "
Remote Code Execution (File Upload) Vulnerability
-

 Key: OFBIZ-11948
 URL: https://issues.apache.org/jira/browse/OFBIZ-11948
 Project: OFBiz
  Issue Type: Sub-task
  Components: product/catalog
Affects Versions: Trunk, 17.12.04, 18.12.01
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
Priority: Major
 Fix For: 17.12.05, 18.12.01


Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability

to the OFBiz security team, and we thank him for that.

I'll later quote here his email message when the vulnerability will be

fixed. It's a post-auth vulnerability so we did not ask for a CVE.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

2022-02-04 Thread Pierre Smits 
Hi Jacques,

Wasn't there PHP code in the scrum application/ component to work with a
git repository?

Or was that Python?


Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
j...@apache.org>:

>
> [
> https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487028#comment-17487028
> ]
>
> ASF subversion and git services commented on OFBIZ-11948:
> -
>
> Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
> branch refs/heads/trunk from Jacques Le Roux
> [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]
>
> Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
>
> Lion Tree  has reported us that
> "CVE-2020-1938 is not fully fixed".
>
> Though it was fixed by OFBIZ-11407, it still possible for an authenticated
> user
> to upload a webshell included in an image using one of the upload
> possibilities
> in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the uploads",
> but
> was still incomplete.
>
> This enforces the secured uploads by
> * checking in SecuredUpload::isValidImageFile that a webshell is not
> embedded in
> an image.
> * Keeping only "<%" as a denied token for JSP webshells, instead of
> currently
> "<%@ page"
> * Adds "application/text/x-ruby" to SecuredUpload::isExecutable
>
> Also
> * Adds " it's often installed on servers.
> * Removes "import=\"java" and "runtime.getruntime().exec(". They are no
> longer useful since "<%" and " * Remove php token since I'll put " * Adds "#!", rather than adding other shebangs like perl,python and ruby
>
> This will make deniedWebShellTokens more understandable.
>
> But I'm conscious that despite SecuredUpload::isExecutableI I still need to
> better handle encoded webshells. I'll do that soon in a second approach.
>
> I'll also certainly more prune PHP related tokens.
>
> Thanks: Lion Tree for report
>
>
> > Remote Code Execution (File Upload) Vulnerability
> > -
> >
> > Key: OFBIZ-11948
> > URL: https://issues.apache.org/jira/browse/OFBIZ-11948
> > Project: OFBiz
> >  Issue Type: Sub-task
> >  Components: product/catalog
> >Affects Versions: Trunk, 17.12.04, 18.12.01
> >Reporter: Jacques Le Roux
> >Assignee: Jacques Le Roux
> >Priority: Major
> > Fix For: 17.12.05, 18.12.01
> >
> >
> > Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability
> to the OFBiz security team, and we thank him for that.
> > I'll later quote here his email message when the vulnerability will be
> fixed. It's a post-auth vulnerability so we did not ask for a CVE.
>
>
>
> --
> This message was sent by Atlassian Jira
> (v8.20.1#820001)
>