You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@isis.apache.org by "Andi Huber (Jira)" <ji...@apache.org> on 2022/08/20 15:38:00 UTC

[jira] [Commented] (ISIS-3128) [Security] h2 database default provide web access and use administator user maybe cause code execution

    [ https://issues.apache.org/jira/browse/ISIS-3128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17582252#comment-17582252 ] 

Andi Huber commented on ISIS-3128:
----------------------------------

I believe this is relevant in the context of running the framework in 'prototyping' mode with h2 console enabled. Not relevant for production mode.

I guess we will not change our current code base, but maybe it would be a good thing to start a security advisory section with our framework's online documentation.

> [Security] h2 database default provide web access and use administator user maybe cause code execution
> ------------------------------------------------------------------------------------------------------
>
>                 Key: ISIS-3128
>                 URL: https://issues.apache.org/jira/browse/ISIS-3128
>             Project: Isis
>          Issue Type: Improvement
>          Components: Isis Examples, Isis Examples Demo App
>    Affects Versions: 2.0.0-M7
>            Reporter: WilliamThomson
>            Priority: Major
>              Labels: security
>             Fix For: 2.0.0-RC1
>
>         Attachments: 1.png, 2.png, 3.png
>
>
> First of all: I am not sure if the service is intentionally set by the project. But: As the current ISIS version (7.9.0) that is used by isis is vulnerable to it, I guess it might be relevant to you.
>  
> h2 database external access is enabled and use SA admin user by default, resulting in code execution
>  
> Access 127.0.0.1:8080/db , you can log in without additional username and password. Because project permit SA login, like 1.png, 2.png
>  
> SA account can execute sql query, cause code execute, like 3.png
>  
> poc like this
> CREATE ALIAS GET_SYSTEM_PROPERTY FOR "java.lang.System.getProperty";
> CALL GET_SYSTEM_PROPERTY('java.class.path');
>  
> Even if h2 db web login is a normal servie, I think it needs to be set to prohibit remote browse login
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)