You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/27 12:40:53 UTC
[ofbiz-framework] 02/02: Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite (OFBIZ-12584)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 247b8713ba2e37b8dd6a8afb60425005e32e0bef
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sun Feb 27 13:35:48 2022 +0100
Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite (OFBIZ-12584)
A user with rights to modify and/or create websites may insert malicious HTML
elements in the “webappPath” parameter from content/control/EditWebSite
resulting in XSS.
In order to trigger the XSS a victim needs to navigate to main page of the
modified website (eg webpos or ecommerce) and interact with the malicious
HTML elements (eg trigger the “onmouseover” event by navigating with the mouse
over the “form” and/or “a” tags).
Thanks to Matei "Mal" Badanoiu for reporting this post-auth vulnerabily
Conflicts handled by hand in EntityAutoEngine.java
---
.../ofbiz/service/engine/EntityAutoEngine.java | 25 +++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java b/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
index 208ea7a..cff8d9e 100644
--- a/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
+++ b/framework/service/src/main/java/org/apache/ofbiz/service/engine/EntityAutoEngine.java
@@ -18,6 +18,8 @@
*/
package org.apache.ofbiz.service.engine;
+import java.io.IOException;
+import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
@@ -36,6 +38,7 @@ import org.apache.ofbiz.entity.finder.PrimaryKeyFinder;
import org.apache.ofbiz.entity.model.ModelEntity;
import org.apache.ofbiz.entity.model.ModelField;
import org.apache.ofbiz.entity.util.EntityQuery;
+import org.apache.ofbiz.security.SecuredUpload;
import org.apache.ofbiz.service.DispatchContext;
import org.apache.ofbiz.service.GenericServiceException;
import org.apache.ofbiz.service.ModelParam;
@@ -70,7 +73,10 @@ public final class EntityAutoEngine extends GenericAsyncEngine {
@Override
public Map<String, Object> runSync(String localName, ModelService modelService, Map<String, Object> parameters) throws GenericServiceException {
// static java service methods should be: public Map<String, Object> methodName(DispatchContext dctx, Map<String, Object> context)
- DispatchContext dctx = dispatcher.getLocalContext(localName);
+ if (!isValidText(parameters)) {
+ return ServiceUtil.returnError("Not saved for security reason!");
+ }
+ DispatchContext dctx = getDispatcher().getLocalContext(localName);
Locale locale = (Locale) parameters.get("locale");
Map<String, Object> result = ServiceUtil.returnSuccess();
@@ -578,4 +584,21 @@ public final class EntityAutoEngine extends GenericAsyncEngine {
Map<String, Object> result = ServiceUtil.returnSuccess(UtilProperties.getMessage("ServiceUiLabels", "EntityExpiredSuccessfully", UtilMisc.toMap("label", modelEntity.getTitle()), locale));
return result;
}
+
+ private static boolean isValidText(Map<String, Object> parameters) {
+ // TODO maybe more parameters will be needed in future...
+ String parameter = (String) parameters.get("webappPath");
+ if (parameter != null) {
+ try {
+ if (!SecuredUpload.isValidText(parameter, Collections.emptyList())) {
+ Debug.logError("================== Not saved for security reason ==================", MODULE);
+ return false;
+ }
+ } catch (IOException e) {
+ Debug.logError("================== Not saved for security reason ==================", MODULE);
+ return false;
+ }
+ }
+ return true;
+ }
}