[ https://issues.apache.org/jira/browse/OFBIZ-12582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17496665#comment-17496665 ]
ASF subversion and git services commented on OFBIZ-12582: --------------------------------------------------------- Commit 16c8afe5d0c103aabd05b8237820a86eea761e1c in ofbiz-framework's branch refs/heads/release22.01 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=16c8afe ] Fixed: Prevent post-Auth vulnerability: FreeMarker Bypass (OFBIZ-12582) By inserting malicious content in the “Text” field from “/content/control/updateLayoutSubContent” -> “Templates”, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and obtain RCE (Remote Code Execution). This fixes it by calling SecuredUpload::isValidText on the “Text” field content. I'll check that there are no other attack opportunities... Thanks: Mal Aware <aware...@gmail.com> for reporting this post-auth vulnerabily > Prevent post-Auth vulnerability: FreeMarker Bypass > -------------------------------------------------- > > Key: OFBIZ-12582 > URL: https://issues.apache.org/jira/browse/OFBIZ-12582 > Project: OFBiz > Issue Type: Bug > Components: content > Affects Versions: 18.12.05 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > > By inserting malicious content in the “Text” field from > “/content/control/updateLayoutSubContent” -> “Templates”, an attacker may > perform SSTI (Server-Side Template Injection) attacks, which can leverage > FreeMarker exposed objects to bypass restrictions and obtain RCE (Remote Code > Execution). > This FreeMarker SSTI was used to re-exploit vulnerability GHSL-2020-070 -- This message was sent by Atlassian Jira (v8.20.1#820001)