[ https://issues.apache.org/jira/browse/OFBIZ-12080?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17496672#comment-17496672 ]
ASF subversion and git services commented on OFBIZ-12080: --------------------------------------------------------- Commit 0de23fa780b4eeee0c3c20eb13993881f7f014d5 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=0de23fa ] Fixed: Secure the uploads (OFBIZ-12080) Adds some tokens in security.properties::deniedWebShellTokens Updates SecurityUtilTest::webShellTokensTesting accordingly # Conflicts handled by hand framework/security/config/security.properties framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java > Secure the uploads > ------------------ > > Key: OFBIZ-12080 > URL: https://issues.apache.org/jira/browse/OFBIZ-12080 > Project: OFBiz > Issue Type: Sub-task > Components: ALL APPLICATIONS, ALL PLUGINS > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 17.12.07, 18.12.01 > > Attachments: OFBIZ-12080.patch > > > 2020/08/10 the OFBiz security team received a security report by Harshit > Shukla <harshit.sh...@gmail.com>, roughly it was (quoting part of it to > simplify): > bq. I have identified a Remote Code Execution (RCE) Vulnerability. The reason > behind this RCE is lack of file extension check at > catalog/control/UploadCategoryImage?productCategoryId=CATALOG1_BEST_SELL&pload_file_type=category > Using this post-auth RCE in OFBiz demos, Harshit was able to get some AWS > credentials by uploading a webshell (based on [0]). By security, it was then > decided by the Infra and OFBiz security teams to shut down the demos. > After I decided we needed to secure all our uploads and not only checking > extensions, I began to work on the vulnerablity. During this work I > discovered, according to [1] and [2], that these AWS credentials are so far > considered harmless. > This post-auth RCE relies on the demo data. In our documentation[3], we warn > our users to not use the demo data. Notably because they allow to sign in as > an admin! > After discussing these elements with Mark J Cox (VP of ASF security team[4]) > we in common decided that no CVE was necessary. > [0] https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp > [1] > https://ibreak.software/2020/04/what-are-these-reserved-set-of-security-credentials-in-aws/ > [2] https://twitter.com/SpenGietz/status/1104198404471631872 > [3] > https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deployment > [4] https://awe.com/mark/history/index.html -- This message was sent by Atlassian Jira (v8.20.1#820001)