[GitHub] [ofbiz-framework] sonarcloud[bot] removed a comment on pull request #230: Implemented: Use NPM with gradle to get external JS dependencies (OFBIZ-11960)
sonarcloud[bot] removed a comment on pull request #230: URL: https://github.com/apache/ofbiz-framework/pull/230#issuecomment-939255954 Kudos, SonarCloud Quality Gate passed!  [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=230=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=230=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=230=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=230) No Coverage information [](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=230=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=230=new_duplicated_lines_density=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@ofbiz.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [ofbiz-framework] sonarcloud[bot] commented on pull request #230: Implemented: Use NPM with gradle to get external JS dependencies (OFBIZ-11960)
sonarcloud[bot] commented on pull request #230: URL: https://github.com/apache/ofbiz-framework/pull/230#issuecomment-939514346 Kudos, SonarCloud Quality Gate passed!  [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=230=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=230=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=230=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=230=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=230) No Coverage information [](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=230=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=230=new_duplicated_lines_density=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@ofbiz.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426819#comment-17426819 ] ASF subversion and git services commented on OFBIZ-12332: - Commit c859c6f63664ddc12f1ea19355af52d4710ba385 in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=c859c6f ] Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) When I removed service-permission-tests, I forgot to remove associated load-data-service-permission-tests :/ > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426820#comment-17426820 ] ASF subversion and git services commented on OFBIZ-12332: - Commit c5aeab0fe9845026533e1fbf9a46ec8f9c3292d5 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=c5aeab0 ] Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) When I removed service-permission-tests, I forgot to remove associated load-data-service-permission-tests :/ > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12335) Refactor methods signature to reduce the number of params they use
[ https://issues.apache.org/jira/browse/OFBIZ-12335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426818#comment-17426818 ] Jacques Le Roux commented on OFBIZ-12335: - The last 3 commits are actually related ot OFBIZ-12332 > Refactor methods signature to reduce the number of params they use > -- > > Key: OFBIZ-12335 > URL: https://issues.apache.org/jira/browse/OFBIZ-12335 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Priority: Minor > Fix For: Upcoming Branch > > > We currently have 115 checkstyle errors, most are related to methods using a > too high number of params. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (OFBIZ-12335) Refactor methods signature to reduce the number of params they use
[ https://issues.apache.org/jira/browse/OFBIZ-12335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426818#comment-17426818 ] Jacques Le Roux edited comment on OFBIZ-12335 at 10/10/21, 3:22 PM: The last 3 commits are actually related to OFBIZ-12332 was (Author: jacques.le.roux): The last 3 commits are actually related ot OFBIZ-12332 > Refactor methods signature to reduce the number of params they use > -- > > Key: OFBIZ-12335 > URL: https://issues.apache.org/jira/browse/OFBIZ-12335 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Priority: Minor > Fix For: Upcoming Branch > > > We currently have 115 checkstyle errors, most are related to methods using a > too high number of params. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12335) Refactor methods signature to reduce the number of params they use
[ https://issues.apache.org/jira/browse/OFBIZ-12335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426805#comment-17426805 ] ASF subversion and git services commented on OFBIZ-12335: - Commit 351d752690bf0f15b441d2dd468f8caf5cb202de in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=351d752 ] Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) Fixes a typo about filterConfiguration in CacheFilter.java > Refactor methods signature to reduce the number of params they use > -- > > Key: OFBIZ-12335 > URL: https://issues.apache.org/jira/browse/OFBIZ-12335 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Priority: Minor > Fix For: Upcoming Branch > > > We currently have 115 checkstyle errors, most are related to methods using a > too high number of params. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12335) Refactor methods signature to reduce the number of params they use
[ https://issues.apache.org/jira/browse/OFBIZ-12335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426803#comment-17426803 ] ASF subversion and git services commented on OFBIZ-12335: - Commit d960b2b0caf14b706271e516ea7eb39c4eb32551 in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=d960b2b ] Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) Fixes a typo about filterConfiguration in CacheFilter.java > Refactor methods signature to reduce the number of params they use > -- > > Key: OFBIZ-12335 > URL: https://issues.apache.org/jira/browse/OFBIZ-12335 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Priority: Minor > Fix For: Upcoming Branch > > > We currently have 115 checkstyle errors, most are related to methods using a > too high number of params. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12335) Refactor methods signature to reduce the number of params they use
[ https://issues.apache.org/jira/browse/OFBIZ-12335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426804#comment-17426804 ] ASF subversion and git services commented on OFBIZ-12335: - Commit 92c4c5dbfe5e43776b737049824753c63c69cbe5 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=92c4c5d ] Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) Fixes a typo about filterConfiguration in CacheFilter.java > Refactor methods signature to reduce the number of params they use > -- > > Key: OFBIZ-12335 > URL: https://issues.apache.org/jira/browse/OFBIZ-12335 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Priority: Minor > Fix For: Upcoming Branch > > > We currently have 115 checkstyle errors, most are related to methods using a > too high number of params. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426801#comment-17426801 ] ASF subversion and git services commented on OFBIZ-12332: - Commit 1c93a26ccc62bc41f2b062ec93fe8eead70d1e43 in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=1c93a26 ] Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) Removes service-permission-tests accidentally added while handling conflicts by hand > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426802#comment-17426802 ] ASF subversion and git services commented on OFBIZ-12332: - Commit abb3fe31c2a077624459679bae8ba822a9e4f1f2 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=abb3fe3 ] Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) Removes service-permission-tests accidentally added while handling conflicts by hand > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426791#comment-17426791 ] ASF subversion and git services commented on OFBIZ-12332: - Commit 6872e2a6954dd858ae08a850949c0d4882ced13c in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=6872e2a ] Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) In previous commit, in CacheFilter::doFilter, I checked "xmlrpc" when it was actually "/control/xmlrpc" > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426790#comment-17426790 ] ASF subversion and git services commented on OFBIZ-12332: - Commit 006ce17647f591fc90aa64a46856e5c1d2b9597a in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=006ce17 ] Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) In previous commit, in CacheFilter::doFilter, I checked "xmlrpc" when it was actually "/control/xmlrpc" > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12335) Refactor methods signature to reduce the number of params they use
[ https://issues.apache.org/jira/browse/OFBIZ-12335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426787#comment-17426787 ] ASF subversion and git services commented on OFBIZ-12335: - Commit 3dbcb70f78f9addd13331880748b872f20806ae2 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=3dbcb70 ] Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) Forgot the change in build.gradle > Refactor methods signature to reduce the number of params they use > -- > > Key: OFBIZ-12335 > URL: https://issues.apache.org/jira/browse/OFBIZ-12335 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Priority: Minor > Fix For: Upcoming Branch > > > We currently have 115 checkstyle errors, most are related to methods using a > too high number of params. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12335) Refactor methods signature to reduce the number of params they use
[ https://issues.apache.org/jira/browse/OFBIZ-12335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426777#comment-17426777 ] ASF subversion and git services commented on OFBIZ-12335: - Commit 3dc7731689122d1bdacf72a6f0f6a7cbf3b00376 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=3dc7731 ] Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) We currently have 115 checkstyle errors, most are related to methods using a too high number of params. Obviously nobody have currently time to work on this issue. This commit increases the max ParameterNumber to 26 to hide all current related errors. This reduces checkstyle errors to 54. It also allows to easier focus on other errors. It still possible to works on OFBIZ-12335 by temporary reverting this commit or replacing max ParameterNumber by the number wanted (was 10, is 7 by default) > Refactor methods signature to reduce the number of params they use > -- > > Key: OFBIZ-12335 > URL: https://issues.apache.org/jira/browse/OFBIZ-12335 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Priority: Minor > Fix For: Upcoming Branch > > > We currently have 115 checkstyle errors, most are related to methods using a > too high number of params. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426776#comment-17426776 ] ASF subversion and git services commented on OFBIZ-12332: - Commit 19d29325910ee2c904b63a951437aa59f73f1d93 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=19d2932 ] Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) In previous commit, in CacheFilter::doFilter, I checked "xmlrpc" when it was actually "/control/xmlrpc" > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12335) Refactor methods signature to reduce the number of params they use
Jacques Le Roux created OFBIZ-12335: --- Summary: Refactor methods signature to reduce the number of params they use Key: OFBIZ-12335 URL: https://issues.apache.org/jira/browse/OFBIZ-12335 Project: OFBiz Issue Type: Improvement Components: ALL COMPONENTS Affects Versions: Trunk Reporter: Jacques Le Roux Fix For: Upcoming Branch We currently have 115 checkstyle errors, most are related to methods using a too high number of params. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Closed] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jie Zhu closed OFBIZ-12332. --- Resolution: Fixed > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426759#comment-17426759 ] Jacques Le Roux commented on OFBIZ-12332: - Hi Jie Zhu, Please close if it's OK with you, TIA > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426756#comment-17426756 ] ASF subversion and git services commented on OFBIZ-12332: - Commit 25293e4cf6f334a2ae33b3041acba45113dddce9 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=25293e4 ] Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) This definitely solves all issues by introducing a CacheFilter and RequestWrapper classes inspired by several works found on the Net. Also moves the change introduced before in ContextFilter to CacheFilter. The basic problem is that you only can use once ServletRequest::getInputStream or the ServletRequest::getReader Also not both, even once, ie they can be seen as same from this POV. The integration tests all pass. Also replace the checked String "" by "" Thanks: Jie Zhu for report Conflicts: ContextFilter.java handled by hand > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426754#comment-17426754 ] ASF subversion and git services commented on OFBIZ-12332: - Commit fb495637441cfe331943d34ce2d0943bc8c30552 in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=fb49563 ] Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) This definitely solves all issues by introducing a CacheFilter and RequestWrapper classes inspired by several works found on the Net. Also moves the change introduced before in ContextFilter to CacheFilter. The basic problem is that you only can use once ServletRequest::getInputStream or the ServletRequest::getReader Also not both, even once, ie they can be seen as same from this POV. The integration tests all pass. Also replace the checked String "" by "" Thanks: Jie Zhu for report Conflicts: ContextFilter.java handled by hand > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426758#comment-17426758 ] ASF subversion and git services commented on OFBIZ-12332: - Commit a5bdcc6f9ea59d5d614f64832d5b6acec8e81e97 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=a5bdcc6 ] Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) This definitely solves all issues by introducing a CacheFilter and RequestWrapper classes inspired by several works found on the Net. Also moves the change introduced before in ContextFilter to CacheFilter. The basic problem is that you only can use once ServletRequest::getInputStream or the ServletRequest::getReader Also not both, even once, ie they can be seen as same from this POV. The integration tests all pass. Also replace the checked String "" by "" Thanks: Jie Zhu for report > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426757#comment-17426757 ] ASF subversion and git services commented on OFBIZ-12332: - Commit a1a24bd9100ccd16732a92eed61e4f7c05d90ca7 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=a1a24bd ] Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) This definitely solves all issues by introducing a CacheFilter and RequestWrapper classes inspired by several works found on the Net. Also moves the change introduced before in ContextFilter to CacheFilter. The basic problem is that you only can use once ServletRequest::getInputStream or the ServletRequest::getReader Also not both, even once, ie they can be seen as same from this POV. The integration tests all pass. Also replace the checked String "" by "" Thanks: Jie Zhu for report # Conflicts handled by hand CacheFilter.java RequestWrapper.java > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12332) post-auth Remote Code Execution Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17426755#comment-17426755 ] ASF subversion and git services commented on OFBIZ-12332: - Commit b6257b720ba276306c6f7a96aa324fa5ce383391 in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b6257b7 ] Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) This definitely solves all issues by introducing a CacheFilter and RequestWrapper classes inspired by several works found on the Net. Also moves the change introduced before in ContextFilter to CacheFilter. The basic problem is that you only can use once ServletRequest::getInputStream or the ServletRequest::getReader Also not both, even once, ie they can be seen as same from this POV. The integration tests all pass. Also replace the checked String "" by "" Thanks: Jie Zhu for report # Conflicts handled by hand CacheFilter.java RequestWrapper.java > post-auth Remote Code Execution Vulnerability > - > > Key: OFBIZ-12332 > URL: https://issues.apache.org/jira/browse/OFBIZ-12332 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jie Zhu >Assignee: Jacques Le Roux >Priority: Minor > Fix For: 18.12.01, Release Branch 17.12 > > Attachments: LocallyAdaptedPayload.txt, > image-2021-10-03-11-43-20-021.png, image-2021-10-03-11-43-31-228.png, > payload.txt, payload_20211008.txt, payload_windows.txt > > > I found that the latest version of the OFBiz framework was affected by an > XMLRPC Remote Code Execution Vulnerability. > This vulnerability is caused by incomplete patch repair of cve-2020-9496. > !image-2021-10-03-11-43-20-021.png! > Successful exploit: > !image-2021-10-03-11-43-31-228.png! > Please refer to the attachment for payload details.This HTTP request will > execute the command `touch /tmp/success` file on the attacked server. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
