[
https://issues.apache.org/jira/browse/OFBIZ-13192?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-13192:
------------------------------------
Description:
Follow-up bug:
The upload is a multipart and in HttpRequestFileUpload you're reading the
entire body as input stream:
[https://github.com/apache/ofbiz-framework/blob/8d69f18dd64bd6b064c4de029629b77cb88107d3/framework/base/src/main/java/org/apache/ofbiz/base/util/HttpRequestFileUpload.java#L154]
That's why "Content-Disposition" gets added to the end of the file - even for
images:
{code:java}
0009c1a0: 2d2d 2d2d 2d2d 3138 3637 3331 3336 3434 ------1867313644
0009c1b0: 3232 3339 3435 3435 3433 3237 3431 3138 2239454543274118
0009c1c0: 3032 3738 0d0a 436f 6e74 656e 742d 4469 0278..Content-Di
0009c1d0: 7370 6f73 6974 696f 6e3a 2066 6f72 6d2d sposition: form-
0009c1e0: 6461 7461 3b20 6e61 6d65 3d22 7570 5f6c data; name="up_l
0009c1f0: 6f61 645f 6669 6c65 5f74 7970 655f 626f oad_file_type_bo
0009c200: 6775 7322 0d0a 0d0a 6c69 6e6b 4f6e 65 gus"....linkOne
{code}
Miss the reading of only the binary part of the multipart request.
was:
2020/08/10 the OFBiz security team received a security report by Harshit Shukla
<[email protected]>, roughly it was (quoting part of it to simplify):
bq. I have identified a Remote Code Execution (RCE) Vulnerability. The reason
behind this RCE is lack of file extension check at
catalog/control/UploadCategoryImage?productCategoryId=CATALOG1_BEST_SELL&pload_file_type=category
Using this post-auth RCE in OFBiz demos, Harshit was able to get some AWS
credentials by uploading a webshell (based on [0]). By security, it was then
decided by the Infra and OFBiz security teams to shut down the demos.
After I decided we needed to secure all our uploads and not only checking
extensions, I began to work on the vulnerablity. During this work I discovered,
according to [1] and [2], that these AWS credentials are so far considered
harmless.
This post-auth RCE relies on the demo data. In our documentation[3], we warn
our users to not use the demo data. Notably because they allow to sign in as an
admin!
After discussing these elements with Mark J Cox (VP of ASF security team[4]) we
in common decided that no CVE was necessary.
[0] https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp
[1]
https://ibreak.software/2020/04/what-are-these-reserved-set-of-security-credentials-in-aws/
[2] https://twitter.com/SpenGietz/status/1104198404471631872
[3]
https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deployment
[4] https://awe.com/mark/history/index.html
> CLONE - Secure the uploads
> --------------------------
>
> Key: OFBIZ-13192
> URL: https://issues.apache.org/jira/browse/OFBIZ-13192
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL APPLICATIONS, ALL PLUGINS
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.01
>
>
> Follow-up bug:
> The upload is a multipart and in HttpRequestFileUpload you're reading the
> entire body as input stream:
> [https://github.com/apache/ofbiz-framework/blob/8d69f18dd64bd6b064c4de029629b77cb88107d3/framework/base/src/main/java/org/apache/ofbiz/base/util/HttpRequestFileUpload.java#L154]
>
> That's why "Content-Disposition" gets added to the end of the file - even for
> images:
> {code:java}
> 0009c1a0: 2d2d 2d2d 2d2d 3138 3637 3331 3336 3434 ------1867313644
> 0009c1b0: 3232 3339 3435 3435 3433 3237 3431 3138 2239454543274118
> 0009c1c0: 3032 3738 0d0a 436f 6e74 656e 742d 4469 0278..Content-Di
> 0009c1d0: 7370 6f73 6974 696f 6e3a 2066 6f72 6d2d sposition: form-
> 0009c1e0: 6461 7461 3b20 6e61 6d65 3d22 7570 5f6c data; name="up_l
> 0009c1f0: 6f61 645f 6669 6c65 5f74 7970 655f 626f oad_file_type_bo
> 0009c200: 6775 7322 0d0a 0d0a 6c69 6e6b 4f6e 65 gus"....linkOne
> {code}
> Miss the reading of only the binary part of the multipart request.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
