Jacques Le Roux created OFBIZ-13192:
---------------------------------------
Summary: CLONE - Secure the uploads
Key: OFBIZ-13192
URL: https://issues.apache.org/jira/browse/OFBIZ-13192
Project: OFBiz
Issue Type: Sub-task
Components: ALL APPLICATIONS, ALL PLUGINS
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
Fix For: 18.12.01
2020/08/10 the OFBiz security team received a security report by Harshit Shukla
<[email protected]>, roughly it was (quoting part of it to simplify):
bq. I have identified a Remote Code Execution (RCE) Vulnerability. The reason
behind this RCE is lack of file extension check at
catalog/control/UploadCategoryImage?productCategoryId=CATALOG1_BEST_SELL&pload_file_type=category
Using this post-auth RCE in OFBiz demos, Harshit was able to get some AWS
credentials by uploading a webshell (based on [0]). By security, it was then
decided by the Infra and OFBiz security teams to shut down the demos.
After I decided we needed to secure all our uploads and not only checking
extensions, I began to work on the vulnerablity. During this work I discovered,
according to [1] and [2], that these AWS credentials are so far considered
harmless.
This post-auth RCE relies on the demo data. In our documentation[3], we warn
our users to not use the demo data. Notably because they allow to sign in as an
admin!
After discussing these elements with Mark J Cox (VP of ASF security team[4]) we
in common decided that no CVE was necessary.
[0] https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp
[1]
https://ibreak.software/2020/04/what-are-these-reserved-set-of-security-credentials-in-aws/
[2] https://twitter.com/SpenGietz/status/1104198404471631872
[3]
https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deployment
[4] https://awe.com/mark/history/index.html
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
