Jacques Le Roux created OFBIZ-12558:
---------------------------------------
Summary: Possible authentified attack related to Tomcat
CVE-2020-1938
Key: OFBIZ-12558
URL: https://issues.apache.org/jira/browse/OFBIZ-12558
Project: OFBiz
Issue Type: Bug
Affects Versions: 18.12.05, Upcoming Branch
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
Lion Tree <liontree0...@gmail.com> has reported us that "CVE-2020-1938 is not
fully fixed".
Though it was fixed by OFBIZ-11407, it still possible for an authentified user
to upload a webshell included in an image using one of the OFBiz upload
possibilities. That of course is not new and already covered by OFBIZ-12080
"Secure the uploads", but was still incomplete.
So this Jira covers 2 points:
# Disable bypass of Tomcat due to setting in
framework/catalina/ofbiz-component.xml
# Enforce upload prevention of webshells, specifically but not only those
included in images
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
