[ 
https://issues.apache.org/jira/browse/OFBIZ-12080?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17495606#comment-17495606
 ] 

ASF subversion and git services commented on OFBIZ-12080:
---------------------------------------------------------

Commit c638ec26f8a0d2b78f1f275dcc5ff934e3019a30 in ofbiz-framework's branch 
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=c638ec2 ]

Fixed: Secure the uploads (OFBIZ-12080)

Trivial change in DataServices.java: uses the SecuredUpload import in 2 places
it was missing.

Adds some tokens in security.properties::deniedWebShellTokens
Removes a duplicated htaccess in security.properties::deniedFileExtensions


> Secure the uploads
> ------------------
>
>                 Key: OFBIZ-12080
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12080
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL APPLICATIONS, ALL PLUGINS
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 17.12.07, 18.12.01
>
>         Attachments: OFBIZ-12080.patch
>
>
> 2020/08/10 the OFBiz security team received a security report by Harshit 
> Shukla <harshit.sh...@gmail.com>, roughly it was (quoting part of it to 
> simplify):
> bq. I have identified a Remote Code Execution (RCE) Vulnerability. The reason 
> behind this RCE is lack of file extension check at 
> catalog/control/UploadCategoryImage?productCategoryId=CATALOG1_BEST_SELL&pload_file_type=category
> Using this post-auth RCE in OFBiz demos, Harshit was able to get some AWS 
> credentials by uploading a webshell (based on [0]). By security, it was then 
> decided by the Infra and OFBiz security teams to shut down the demos.
> After I decided we needed to secure all our uploads and not only checking 
> extensions, I began to work on the vulnerablity. During this work I 
> discovered, according to [1] and [2], that these AWS credentials are so far 
> considered harmless.
> This post-auth RCE relies on the demo data. In our documentation[3], we warn 
> our users to not use the demo data. Notably because they allow to sign in as 
> an admin!
> After discussing these elements with Mark J Cox (VP of ASF security team[4]) 
> we in common decided that no CVE was necessary.
> [0] https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp
> [1] 
> https://ibreak.software/2020/04/what-are-these-reserved-set-of-security-credentials-in-aws/
> [2] https://twitter.com/SpenGietz/status/1104198404471631872
> [3] 
> https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deployment
> [4] https://awe.com/mark/history/index.html



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to