[
https://issues.apache.org/jira/browse/OFBIZ-12080?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17495162#comment-17495162
]
ASF subversion and git services commented on OFBIZ-12080:
---------------------------------------------------------
Commit 4d70280cb86c65a096b71b560623d33bc563e960 in ofbiz-framework's branch
refs/heads/release22.01 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=4d70280 ]
Fixed: Secure the uploads (OFBIZ-12080)
Last commits put in an issue in DataServices.java and GroovyBaseScript.groovy.
I should have used SecuredUpload::isValidFileName with dataResourceName and
SecuredUpload::isValidFile with objectInfo. This fixes that.
Also fixes formatting checkstyle issues in SecuredUpload class.
Also fixes formatting checkstyle issues in SecuredUpload class and move allow
all and check line length in right places (it's about content)
> Secure the uploads
> ------------------
>
> Key: OFBIZ-12080
> URL: https://issues.apache.org/jira/browse/OFBIZ-12080
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL APPLICATIONS, ALL PLUGINS
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 17.12.07, 18.12.01
>
> Attachments: OFBIZ-12080.patch
>
>
> 2020/08/10 the OFBiz security team received a security report by Harshit
> Shukla <harshit.sh...@gmail.com>, roughly it was (quoting part of it to
> simplify):
> bq. I have identified a Remote Code Execution (RCE) Vulnerability. The reason
> behind this RCE is lack of file extension check at
> catalog/control/UploadCategoryImage?productCategoryId=CATALOG1_BEST_SELL&pload_file_type=category
> Using this post-auth RCE in OFBiz demos, Harshit was able to get some AWS
> credentials by uploading a webshell (based on [0]). By security, it was then
> decided by the Infra and OFBiz security teams to shut down the demos.
> After I decided we needed to secure all our uploads and not only checking
> extensions, I began to work on the vulnerablity. During this work I
> discovered, according to [1] and [2], that these AWS credentials are so far
> considered harmless.
> This post-auth RCE relies on the demo data. In our documentation[3], we warn
> our users to not use the demo data. Notably because they allow to sign in as
> an admin!
> After discussing these elements with Mark J Cox (VP of ASF security team[4])
> we in common decided that no CVE was necessary.
> [0] https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp
> [1]
> https://ibreak.software/2020/04/what-are-these-reserved-set-of-security-credentials-in-aws/
> [2] https://twitter.com/SpenGietz/status/1104198404471631872
> [3]
> https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deployment
> [4] https://awe.com/mark/history/index.html
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
