You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/04 11:31:49 UTC
[ofbiz-framework] branch release18.12 updated (77a2c74 -> 4ab4b15)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a change to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.
from 77a2c74 Improved: no functional change, adds a BuildBot badge (INFRA-22807)
new e7955fc Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
new 4ab4b15 Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
framework/catalina/ofbiz-component.xml | 12 ++++++++++--
framework/security/config/security.properties | 6 +++---
.../main/java/org/apache/ofbiz/security/SecuredUpload.java | 4 +++-
3 files changed, 16 insertions(+), 6 deletions(-)
[ofbiz-framework] 01/02: Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit e7955fc06438cfa3e93cfbf00291958fceb3d4ed
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Fri Feb 4 04:30:13 2022 +0100
Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
Lion Tree <li...@gmail.com> has reported us that
"CVE-2020-1938 is not fully fixed".
Though it was fixed by OFBIZ-11407, it still possible for an authenticated user
to upload a webshell included in an image using one of the upload possibilities
in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the uploads", but
was still incomplete.
This enforces the secured uploads by
* checking in SecuredUpload::isValidImageFile that a webshell is not embedded in
an image.
* Keeping only "<%" as a denied token for JSP webshells, instead of currently
"<%@ page"
* Adds "application/text/x-ruby" to SecuredUpload::isExecutable
Also
* Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all,
it's often installed on servers.
* Removes "import=\"java" and "runtime.getruntime().exec(". They are no
longer useful since "<%" and "<jsp" block them.
* Remove php token since I'll put "<?" in.
* Adds "#!", rather than adding other shebangs like perl,python and ruby
This will make deniedWebShellTokens more understandable.
But I'm conscious that despite SecuredUpload::isExecutableI I still need to
better handle encoded webshells. I'll do that soon in a second approach.
I'll also certainly more prune PHP related tokens.
Thanks: Lion Tree for report
---
framework/security/config/security.properties | 6 +++---
.../src/main/java/org/apache/ofbiz/security/SecuredUpload.java | 4 +++-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 5861ef4..cda4b36 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -205,9 +205,9 @@ allowAllUploads=
#-- eg: https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/
#-- "freemarker" should be OK, should not be used in Freemarker templates, not part of the syntax.
#-- Else "template.utility.Execute" is a good replacement but not as much catching, who knows...
-deniedWebShellTokens=freemarker,import=\"java,runtime.getruntime().exec(,<%@ page,<script,<body>,<form,php,\
- javascript,%eval,@eval,import os,passthru,exec,shell_exec,assert,str_rot13,system,phpinfo,base64_decode,chmod,mkdir,\
- fopen,fclose,new file,import,upload,getfilename,download,getoutputstring,readfile
+deniedWebShellTokens=<%,<jsp:,<?,#!,freemarker,<script,javascript,%eval,@eval,<body>,<form,\
+ import os,passthru,exec,shell_exec,assert,str_rot13,system,base64_decode,chmod,mkdir,\
+ fopen,fclose,new file,import,upload,getfilename,download,getoutputstring,readfile
#-- uri used for login (cf jira OFBIZ-12047)
#-- it's a list, each uri should be separated by comma, without space
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index afa2f7b..0cd9a70 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -242,7 +242,8 @@ public class SecuredUpload {
|| imageFormat.equals(ImageFormats.GIF)
|| imageFormat.equals(ImageFormats.TIFF)
|| imageFormat.equals(ImageFormats.JPEG))
- && imageMadeSafe(fileName);
+ && imageMadeSafe(fileName)
+ && isValidTextFile(fileName);
}
/**
@@ -422,6 +423,7 @@ public class SecuredUpload {
if ("application/x-elf".equals(mimeType)
|| "application/x-sh".equals(mimeType)
|| "application/text/x-perl".equals(mimeType)
+ || "application/text/x-ruby".equals(mimeType)
|| "application/text/x-python".equals(mimeType)) {
Debug.logError("The file" + fileName + " is a Linux executable, for security reason it's not accepted :", MODULE);
return true;
[ofbiz-framework] 02/02: Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 4ab4b15ade3fb544de25d259123c0ec2c5ce9df7
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Fri Feb 4 12:28:47 2022 +0100
Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
Despite OFBIZ-11407, the 2 values secretRequired and especially
allowedRequestAttributesPattern are commented out because of OFBIZ-12558
The Tomcat default values will be used as recommended by
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
This is in relation with
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
and
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
Thanks: Lion Tree for report
Conflicts handled by hand in framework/catalina/ofbiz-component.xml
---
framework/catalina/ofbiz-component.xml | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/framework/catalina/ofbiz-component.xml b/framework/catalina/ofbiz-component.xml
index 176a36e..c30f231 100644
--- a/framework/catalina/ofbiz-component.xml
+++ b/framework/catalina/ofbiz-component.xml
@@ -74,9 +74,17 @@ under the License.
<property name="secure" value="false"/>
<property name="URIEncoding" value="UTF-8"/>
<property name="xpoweredBy" value="false"/>
- <property name="secretRequired" value="false"/>
- <property name="allowedRequestAttributesPattern" value=".*"/>
<!-- AJP/13 connector attributes -->
+ <!-- Despite OFBIZ-11407, the 2 values below are commented out because of OFBIZ-12558
+ The Tomcat default values will be used as recommended by
+ https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
+ This is in relation with
+ https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
+ and
+ https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
+ -->
+ <!-- <property name="secretRequired" value="false"/>
+ <property name="allowedRequestAttributesPattern" value=".*"/> -->
<!-- commented out because the values match the Tomcat defaults:
<property name="tomcatAuthentication" value="true"/>
<property name="allowTrace" value="false"/>