[
https://issues.apache.org/jira/browse/ISIS-3128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17582487#comment-17582487
]
ASF subversion and git services commented on ISIS-3128:
-------------------------------------------------------
Commit 9fcab9816dac37e0f07ffe3f5c4f47df9cec8694 in isis's branch
refs/heads/master from Andi Huber
[ https://gitbox.apache.org/repos/asf?p=isis.git;h=9fcab9816d ]
ISIS-3128: [Security] make it a config option as to whether allow remote
access to the H2WebConsole
- changes default behavior: don't allow
> [Security] h2 console potentially vulnerable to code execution
> --------------------------------------------------------------
>
> Key: ISIS-3128
> URL: https://issues.apache.org/jira/browse/ISIS-3128
> Project: Isis
> Issue Type: Improvement
> Components: Isis Examples, Isis Examples Demo App
> Affects Versions: 2.0.0-M7
> Reporter: WilliamThomson
> Assignee: Andi Huber
> Priority: Major
> Labels: security
> Fix For: 2.0.0-RC1
>
> Attachments: 1.png, 2.png, 3.png
>
>
> First of all: I am not sure if the service is intentionally set by the
> project. But: As the current ISIS version (7.9.0) that is used by isis is
> vulnerable to it, I guess it might be relevant to you.
>
> h2 database external access is enabled and use SA admin user by default,
> resulting in code execution
>
> Access 127.0.0.1:8080/db , you can log in without additional username and
> password. Because project permit SA login, like 1.png, 2.png
>
> SA account can execute sql query, cause code execute, like 3.png
>
> poc like this
> CREATE ALIAS GET_SYSTEM_PROPERTY FOR "java.lang.System.getProperty";
> CALL GET_SYSTEM_PROPERTY('java.class.path');
>
> Even if h2 db web login is a normal servie, I think it needs to be set to
> prohibit remote browse login
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
