[jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability

Mon, 06 Jan 2025 09:05:15 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17910309#comment-17910309
 ] 

ASF subversion and git services commented on OFBIZ-11948:
---------------------------------------------------------

Commit b8ab904b4c84acc9af36522cd6ab6c5ac9622932 in ofbiz-framework's branch 
refs/heads/trunk from Nicolas Malin
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b8ab904b4c ]

Improved: Improve validation method on service parameter (OFBIZ-13197) (#869)

Since the Remote Code Execution (File Upload) Vulnerability fixed by 
OFBIZ-11948, the class GroovyBaseScript.groovy contains a dependency with a 
service definition 'createAnonFile' to control the security.

This solution works but break the dependency between each component and the 
mandatory for a service to protect it himself.

Normally a service can secure each parameter with element type-validate 
unfortunately, this element can call only method with one parameter. In your 
case the method to validate a file upload need to have the delegator.

To solve it, we improve the element type-validate to analyze the method call 
for validate the attribute value and pass the delegator or dispatcher if it 
detected.

Like this we can move the code present on GroovyBaseScript to the service 
definition and offer the possibility to create more complex validate method for 
custom site.

> Remote Code Execution (File Upload) Vulnerability
> -------------------------------------------------
>
>                 Key: OFBIZ-11948
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11948
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: content, framework/service, party, product/catalog
>    Affects Versions: Trunk, 17.12.04, 18.12.01
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 17.12.05, 18.12.01, 18.12.06, 22.01.01
>
>
> Harshit Shukla [email protected] reported this RCE vulnerability to the 
> OFBiz security team, and we thank him for that.
> I'll later quote here his email message when the vulnerability will be fixed. 
> It's a post-auth vulnerability so we did not ask for a CVE.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to