You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2019/09/14 12:53:00 UTC

[jira] [Comment Edited] (OFBIZ-11196) Path Traversal in webtools/control/FetchLogs and ViewFile

    [ https://issues.apache.org/jira/browse/OFBIZ-11196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16929762#comment-16929762 ] 

Jacques Le Roux edited comment on OFBIZ-11196 at 9/14/19 12:52 PM:
-------------------------------------------------------------------

BTW I wrote above
bq. These are not really path traversal issues.
It's true for https://demo-trunk.ofbiz.apache.org/webtools/control/ViewFile?fileName=/etc/passwd
but not for https://demo-trunk.ofbiz.apache.org/webtools/control/FetchLogs?logFileName=/etc/passwd
because there the runtime log dir is used. Anyway the fixes are still valid and 
bq. We can't solve them using the traditional way to fix path traversal issues (ie normalising path).
is also valid. And you can only try that today, tomorrow nothing will work :)


was (Author: jacques.le.roux):
BTW I wrote above
bq. These are not really path traversal issues.
It's true for https://demo-trunk.ofbiz.apache.org/webtools/control/ViewFile?fileName=/etc/passwd
but not for https://demo-trunk.ofbiz.apache.org/webtools/control/FetchLogs?logFileName=/etc/passwd
because there the runtime log dir is used. Anyway the fixes are still valid and 
bq. We can't solve them using the traditional way to fix path traversal issues (ie normalising path).
is also valid.

> Path Traversal in webtools/control/FetchLogs and ViewFile
> ---------------------------------------------------------
>
>                 Key: OFBIZ-11196
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11196
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework/webtools
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 17.12.01, 16.11.07, 18.12.01
>
>
> This was reported to the OFBiz security team by Jason Nordenstam from offensive-security.com. We did not consider it as a real security issue because it requires authentication.
> {quote}
> Authenticated users can use the Fetch Logs functionality to view arbitrary files on the host OS by modifying the "logFileName" parameter.
> While the web application submits the affected URL as a POST request, it can be converted to a GET for ease of use.
> Affected URLs:
> /webtools/control/FetchLogs?logFileName
> /webtools/control/ViewFile?fileName
> Screenshots:
> see attachments ofbiz_path_traversal_1.png and ofbiz_path_traversal_2.png
> {quote}
> That can indeed be easily reproduced at
> https://demo-trunk.ofbiz.apache.org/webtools/control/FetchLogs?logFileName=../../../../../../etc/passwd
> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewFile?fileName=../../../../../../etc/passwd



--
This message was sent by Atlassian Jira
(v8.3.2#803003)