[ https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490201#comment-17490201 ]
ASF subversion and git services commented on OFBIZ-11948: --------------------------------------------------------- Commit 0a25c932ac0b9f7e4f498b9c6cd5eb314901b66d in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=0a25c93 ] Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948) This fixes and improves file upload. Refactor a bit SecuredUpload class and fixes: Prevent double extensions Check extensions Improves getMimeTypeFromFileName() by checking is file exists In isValidImageFile() finally use isValidText() bypassing encoding Completely refactor deniedWebShellTokens in security.properties by re-adding removed tokens in last commit and adding several new ones. I have still to check encoded, encrypted and obfuscated webshells) Modifies SecurityUtilTest::webShellTokensTesting accordingly While at it better format commonsImagingSupportedFormats, deniedFileExtensions and imagejSupportedFormats properties for legibility. Check if createAnonFile service is used in GroovyBaseScript.groovy and if a complete file name is used (file exist) check, using SecuredUpload, extensions and prevent double extensions, actually check all the file and stop there. Adds some "Check if a webshell is not uploaded" comments in ContentManagementServices.java DataServices.java ScaleImage.java FrameImage.java ImageManagementServices.java ProductServices.java HttpRequestFileUpload.java ProgramExport.groovy Trivial comments fixes in catalog.properties Also fixes OFBIZ 12571 (I use here a space because of pending INFRA 22843) by simply adding processbuilder to deniedWebShellTokens Conflicts handled by hand framework/security/config/security.properties framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java framework/service/src/main/groovy/org/apache/ofbiz/service/engine/GroovyBaseScript.groovy framework/webtools/groovyScripts/entity/ProgramExport.groovy (reverted) > Remote Code Execution (File Upload) Vulnerability > ------------------------------------------------- > > Key: OFBIZ-11948 > URL: https://issues.apache.org/jira/browse/OFBIZ-11948 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog > Affects Versions: Trunk, 17.12.04, 18.12.01 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 17.12.05, 18.12.01 > > > Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability to the > OFBiz security team, and we thank him for that. > I'll later quote here his email message when the vulnerability will be fixed. > It's a post-auth vulnerability so we did not ask for a CVE. -- This message was sent by Atlassian Jira (v8.20.1#820001)