You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/05 09:21:15 UTC

[ofbiz-framework] branch release18.12 updated: Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 047849f  Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
047849f is described below

commit 047849f42bf5cb69e28132b66a4a5907136188d8
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Feb 5 10:13:44 2022 +0100

    Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
    
    In SecuredUpload::isValidImageFile I initially used isValidText() and thought
    that decoding would be better so finally used isValidTextFile() instead. But
    then valid images files are not passing. So this replaces isValidTextFile by
    isValidText there.
    
    Also while at it removes few other PHP tokens, now useless (hopefully, I have
    still to check encoded and encrypted PHP webshells), from
    security::deniedWebShellTokens. The less tokens we have the better the whole is
    legible.
    Improves related comments.
    
    Modifies SecurityUtilTest::webShellTokensTesting accordingly
    
    Conflicts handled by hand
     framework/security/config/security.properties
     framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
---
 framework/security/config/security.properties             | 15 ++++++++++-----
 .../java/org/apache/ofbiz/security/SecuredUpload.java     |  2 +-
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index cda4b36..cf49080 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -200,14 +200,19 @@ deniedFileExtensions=html,htm,php,php2,hph3,php4,php5,asp,aspx,ascx,jsp,jspx,cfm
 #-- As it name says, allowAllUploads opens all possibilities
 allowAllUploads=
 #--
-#-- List of denied tokens often part of webshells
+#-- List of denied tokens often part of webshells. Note that, for now at least, those are supposed to be used on a *nix system
 #-- TODO.... to be continued with known webshell contents... a complete allow list is impossible anyway...
-#-- eg: https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/
 #-- "freemarker" should be OK, should not be used in Freemarker templates, not part of the syntax.
 #-- Else "template.utility.Execute" is a good replacement but not as much catching, who knows...
-deniedWebShellTokens=<%,<jsp:,<?,#!,freemarker,<script,javascript,%eval,@eval,<body>,<form,\
-                     import os,passthru,exec,shell_exec,assert,str_rot13,system,base64_decode,chmod,mkdir,\
-                     fopen,fclose,new file,import,upload,getfilename,download,getoutputstring,readfile
+#-- If you are sure you are safe for a token you can remove it, etc.
+deniedWebShellTokens=<%,<jsp,<?,#!,freemarker,<script,javascript,eval,<body>,<form,\
+                     chmod,mkdir,fopen,fclose,new file,import,upload,getfilename,download,getoutputstring,readfile
+
+
+#-- Popup last-visited time from database after user has logged in.
+#-- So users can know of any unauthorised access to their accounts.
+#-- Default is false.
+afterlogin.lastvisit.show=
 
 #-- uri used for login (cf jira OFBIZ-12047)
 #-- it's a list, each uri should be separated by comma, without space
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 0cd9a70..53cf774 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -243,7 +243,7 @@ public class SecuredUpload {
                 || imageFormat.equals(ImageFormats.TIFF)
                 || imageFormat.equals(ImageFormats.JPEG))
                 && imageMadeSafe(fileName)
-                && isValidTextFile(fileName);
+                && isValidText(fileName, new ArrayList<>());
     }
 
     /**