This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 53dc91aa0eac034498fa2f52802d4b386f2f89e6
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Feb 23 11:46:18 2022 +0100
Fixed: Prevent post-Auth vulnerability: FreeMarker Bypass (OFBIZ-12582)
By inserting malicious content in the “Text” field from
“/content/control/updateLayoutSubContent” -> “Templates”, an attacker may
perform SSTI (Server-Side Template Injection) attacks, which can leverage
FreeMarker exposed objects to bypass restrictions and obtain RCE (Remote
Code
Execution).
This fixes it by calling SecuredUpload::isValidText on the “Text” field
content.
I'll check that there are no other attack opportunities...
Thanks: Mal Aware <aware...@gmail.com> for reporting this post-auth
vulnerabily
---
.../ofbiz/content/ContentManagementServices.java | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git
a/applications/content/src/main/java/org/apache/ofbiz/content/ContentManagementServices.java
b/applications/content/src/main/java/org/apache/ofbiz/content/ContentManagementServices.java
index a9b2133..b273d66 100644
---
a/applications/content/src/main/java/org/apache/ofbiz/content/ContentManagementServices.java
+++
b/applications/content/src/main/java/org/apache/ofbiz/content/ContentManagementServices.java
@@ -23,6 +23,7 @@ import java.io.IOException;
import java.math.BigDecimal;
import java.nio.ByteBuffer;
import java.sql.Timestamp;
+import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashSet;
@@ -50,6 +51,7 @@ import org.apache.ofbiz.entity.condition.EntityOperator;
import org.apache.ofbiz.entity.model.ModelUtil;
import org.apache.ofbiz.entity.util.EntityQuery;
import org.apache.ofbiz.entity.util.EntityUtil;
+import org.apache.ofbiz.security.SecuredUpload;
import org.apache.ofbiz.security.Security;
import org.apache.ofbiz.service.DispatchContext;
import org.apache.ofbiz.service.GenericServiceException;
@@ -146,6 +148,20 @@ public class ContentManagementServices {
Map<String, Object> context = UtilMisc.makeMapWritable(rcontext);
Locale locale = (Locale) context.get("locale");
+ // Check if a webshell is not uploaded
+ String textData = (String) context.get("textData");
+ if (UtilValidate.isNotEmpty(textData)) {
+ try {
+ if (!SecuredUpload.isValidText(textData,
Collections.emptyList())) {
+ Debug.logError("================== Not saved for security
reason ==================", MODULE);
+ return ServiceUtil.returnError("================== Not
saved for security reason ==================");
+ }
+ } catch (IOException e) {
+ Debug.logError("================== Not saved for security
reason ==================", MODULE);
+ return ServiceUtil.returnError("================== Not saved
for security reason ==================");
+ }
+ }
+
// Knowing why a request fails permission check is one of the more
difficult
// aspects of content management. Setting "displayFailCond" to true
will
// put an html table in result.errorMessage that will show what tests
were performed
@@ -176,7 +192,7 @@ public class ContentManagementServices {
if (Debug.infoOn()) {
Debug.logInfo("in persist... contentPurposeList(0):" +
contentPurposeList, MODULE);
- Debug.logInfo("in persist... textData(0):" +
context.get("textData"), MODULE);
+ Debug.logInfo("in persist... textData(0):" + textData, MODULE);
}
GenericValue content = delegator.makeValue("Content");
