You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Pierre Smits <pi...@gmail.com> on 2022/02/04 11:53:17 UTC
Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability
Hi Jacques,
Wasn't there PHP code in the scrum application/ component to work with a
git repository?
Or was that Python?
Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
jira@apache.org>:
>
> [
> https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487028#comment-17487028
> ]
>
> ASF subversion and git services commented on OFBIZ-11948:
> ---------------------------------------------------------
>
> Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
> branch refs/heads/trunk from Jacques Le Roux
> [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]
>
> Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
>
> Lion Tree <li...@gmail.com> has reported us that
> "CVE-2020-1938 is not fully fixed".
>
> Though it was fixed by OFBIZ-11407, it still possible for an authenticated
> user
> to upload a webshell included in an image using one of the upload
> possibilities
> in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the uploads",
> but
> was still incomplete.
>
> This enforces the secured uploads by
> * checking in SecuredUpload::isValidImageFile that a webshell is not
> embedded in
> an image.
> * Keeping only "<%" as a denied token for JSP webshells, instead of
> currently
> "<%@ page"
> * Adds "application/text/x-ruby" to SecuredUpload::isExecutable
>
> Also
> * Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all,
> it's often installed on servers.
> * Removes "import=\"java" and "runtime.getruntime().exec(". They are no
> longer useful since "<%" and "<jsp" block them.
> * Remove php token since I'll put "<?" in.
> * Adds "#!", rather than adding other shebangs like perl,python and ruby
>
> This will make deniedWebShellTokens more understandable.
>
> But I'm conscious that despite SecuredUpload::isExecutableI I still need to
> better handle encoded webshells. I'll do that soon in a second approach.
>
> I'll also certainly more prune PHP related tokens.
>
> Thanks: Lion Tree for report
>
>
> > Remote Code Execution (File Upload) Vulnerability
> > -------------------------------------------------
> >
> > Key: OFBIZ-11948
> > URL: https://issues.apache.org/jira/browse/OFBIZ-11948
> > Project: OFBiz
> > Issue Type: Sub-task
> > Components: product/catalog
> > Affects Versions: Trunk, 17.12.04, 18.12.01
> > Reporter: Jacques Le Roux
> > Assignee: Jacques Le Roux
> > Priority: Major
> > Fix For: 17.12.05, 18.12.01
> >
> >
> > Harshit Shukla harshit.shukz@gmail.com reported this RCE vulnerability
> to the OFBiz security team, and we thank him for that.
> > I'll later quote here his email message when the vulnerability will be
> fixed. It's a post-auth vulnerability so we did not ask for a CVE.
>
>
>
> --
> This message was sent by Atlassian Jira
> (v8.20.1#820001)
>
Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability
Posted by Jacques Le Roux <ja...@les7arts.com>.
Ah OK, then this sentence was inappropriate, nothing more. Actually the idea, from a security POV, is to add "<jsp", and "<?" in
security.properties::deniedWebShellTokens to neutralise non encoded PHP webshells.
Mmm, I just checked. It's about python: https://github.com/apache/ofbiz-plugins/tree/trunk/scrum/data/hookscripts
Anyway this does not add anything since I have also added <<"#!", rather than adding other shebangs for perl,python and ruby>>, still to neutralise
only non encoded webshells.
You would have certainly understood that I'm still working on encoded webshells...
HTH
Le 04/02/2022 à 14:15, Pierre Smits a écrit :
> Hi Jacques,
>
> in a posting above, you stated:
>
> * Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all,
>
>
> and I remember that functionality introduced in the scrum
> application/component was in PHP (or Python) to 'manage' scrum artefacts in
> a git repository. I did not investigate the component further. That makes
> that 'Even if OFBiz does not use PHP at all' not entirely accurate.
>
> I just thought I mention it, to make you aware of this. And potentially an
> additional issue that needs to be addressed.
>
> Met vriendelijke groet,
>
> Pierre Smits
> *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
> 2008 (without privileges)
> Proud contributor to the ASF since 2006
> *Apache Directory <https://directory.apache.org>, PMC Member*
>
> Anyone could have been you, whereas I've always been anyone.
>
>
> On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux <ja...@les7arts.com>
> wrote:
>
>> Hi Pierre,
>>
>> How is your question related?
>>
>> Le 04/02/2022 à 12:53, Pierre Smits a écrit :
>>> Hi Jacques,
>>>
>>> Wasn't there PHP code in the scrum application/ component to work with a
>>> git repository?
>>>
>>> Or was that Python?
>>>
>>>
>>> Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
>>> jira@apache.org>:
>>>
>>>> [
>>>>
>> https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487028#comment-17487028
>>>> ]
>>>>
>>>> ASF subversion and git services commented on OFBIZ-11948:
>>>> ---------------------------------------------------------
>>>>
>>>> Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
>>>> branch refs/heads/trunk from Jacques Le Roux
>>>> [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]
>>>>
>>>> Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
>>>>
>>>> Lion Tree <li...@gmail.com> has reported us that
>>>> "CVE-2020-1938 is not fully fixed".
>>>>
>>>> Though it was fixed by OFBIZ-11407, it still possible for an
>> authenticated
>>>> user
>>>> to upload a webshell included in an image using one of the upload
>>>> possibilities
>>>> in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the
>> uploads",
>>>> but
>>>> was still incomplete.
>>>>
>>>> This enforces the secured uploads by
>>>> * checking in SecuredUpload::isValidImageFile that a webshell is not
>>>> embedded in
>>>> an image.
>>>> * Keeping only "<%" as a denied token for JSP webshells, instead of
>>>> currently
>>>> "<%@ page"
>>>> * Adds "application/text/x-ruby" to SecuredUpload::isExecutable
>>>>
>>>> Also
>>>> * Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all,
>>>> it's often installed on servers.
>>>> * Removes "import=\"java" and "runtime.getruntime().exec(". They are no
>>>> longer useful since "<%" and "<jsp" block them.
>>>> * Remove php token since I'll put "<?" in.
>>>> * Adds "#!", rather than adding other shebangs like perl,python and ruby
>>>>
>>>> This will make deniedWebShellTokens more understandable.
>>>>
>>>> But I'm conscious that despite SecuredUpload::isExecutableI I still
>> need to
>>>> better handle encoded webshells. I'll do that soon in a second approach.
>>>>
>>>> I'll also certainly more prune PHP related tokens.
>>>>
>>>> Thanks: Lion Tree for report
>>>>
>>>>
>>>>> Remote Code Execution (File Upload) Vulnerability
>>>>> -------------------------------------------------
>>>>>
>>>>> Key: OFBIZ-11948
>>>>> URL:
>> https://issues.apache.org/jira/browse/OFBIZ-11948
>>>>> Project: OFBiz
>>>>> Issue Type: Sub-task
>>>>> Components: product/catalog
>>>>> Affects Versions: Trunk, 17.12.04, 18.12.01
>>>>> Reporter: Jacques Le Roux
>>>>> Assignee: Jacques Le Roux
>>>>> Priority: Major
>>>>> Fix For: 17.12.05, 18.12.01
>>>>>
>>>>>
>>>>> Harshit Shukla harshit.shukz@gmail.com reported this RCE vulnerability
>>>> to the OFBiz security team, and we thank him for that.
>>>>> I'll later quote here his email message when the vulnerability will be
>>>> fixed. It's a post-auth vulnerability so we did not ask for a CVE.
>>>>
>>>>
>>>>
>>>> --
>>>> This message was sent by Atlassian Jira
>>>> (v8.20.1#820001)
>>>>
Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability
Posted by Jacques Le Roux <ja...@les7arts.com>.
We crossed on wire Michael :)
Le 04/02/2022 à 14:34, Michael Brohl a écrit :
> The scrum component contains a Python script which is used together with git hooks.
>
> So Jacques's statement was entirely accurate.
>
> Michael
>
> Am 04.02.22 um 14:15 schrieb Pierre Smits:
>> Hi Jacques,
>>
>> in a posting above, you stated:
>>
>> * Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all,
>>
>>
>> and I remember that functionality introduced in the scrum
>> application/component was in PHP (or Python) to 'manage' scrum artefacts in
>> a git repository. I did not investigate the component further. That makes
>> that 'Even if OFBiz does not use PHP at all' not entirely accurate.
>>
>> I just thought I mention it, to make you aware of this. And potentially an
>> additional issue that needs to be addressed.
>>
>> Met vriendelijke groet,
>>
>> Pierre Smits
>> *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
>> 2008 (without privileges)
>> Proud contributor to the ASF since 2006
>> *Apache Directory <https://directory.apache.org>, PMC Member*
>>
>> Anyone could have been you, whereas I've always been anyone.
>>
>>
>> On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux <ja...@les7arts.com>
>> wrote:
>>
>>> Hi Pierre,
>>>
>>> How is your question related?
>>>
>>> Le 04/02/2022 à 12:53, Pierre Smits a écrit :
>>>> Hi Jacques,
>>>>
>>>> Wasn't there PHP code in the scrum application/ component to work with a
>>>> git repository?
>>>>
>>>> Or was that Python?
>>>>
>>>>
>>>> Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
>>>> jira@apache.org>:
>>>>
>>>>> [
>>>>>
>>> https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487028#comment-17487028
>>>
>>>>> ]
>>>>>
>>>>> ASF subversion and git services commented on OFBIZ-11948:
>>>>> ---------------------------------------------------------
>>>>>
>>>>> Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
>>>>> branch refs/heads/trunk from Jacques Le Roux
>>>>> [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]
>>>>>
>>>>> Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
>>>>>
>>>>> Lion Tree <li...@gmail.com> has reported us that
>>>>> "CVE-2020-1938 is not fully fixed".
>>>>>
>>>>> Though it was fixed by OFBIZ-11407, it still possible for an
>>> authenticated
>>>>> user
>>>>> to upload a webshell included in an image using one of the upload
>>>>> possibilities
>>>>> in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the
>>> uploads",
>>>>> but
>>>>> was still incomplete.
>>>>>
>>>>> This enforces the secured uploads by
>>>>> * checking in SecuredUpload::isValidImageFile that a webshell is not
>>>>> embedded in
>>>>> an image.
>>>>> * Keeping only "<%" as a denied token for JSP webshells, instead of
>>>>> currently
>>>>> "<%@ page"
>>>>> * Adds "application/text/x-ruby" to SecuredUpload::isExecutable
>>>>>
>>>>> Also
>>>>> * Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all,
>>>>> it's often installed on servers.
>>>>> * Removes "import=\"java" and "runtime.getruntime().exec(". They are no
>>>>> longer useful since "<%" and "<jsp" block them.
>>>>> * Remove php token since I'll put "<?" in.
>>>>> * Adds "#!", rather than adding other shebangs like perl,python and ruby
>>>>>
>>>>> This will make deniedWebShellTokens more understandable.
>>>>>
>>>>> But I'm conscious that despite SecuredUpload::isExecutableI I still
>>> need to
>>>>> better handle encoded webshells. I'll do that soon in a second approach.
>>>>>
>>>>> I'll also certainly more prune PHP related tokens.
>>>>>
>>>>> Thanks: Lion Tree for report
>>>>>
>>>>>
>>>>>> Remote Code Execution (File Upload) Vulnerability
>>>>>> -------------------------------------------------
>>>>>>
>>>>>> Key: OFBIZ-11948
>>>>>> URL:
>>> https://issues.apache.org/jira/browse/OFBIZ-11948
>>>>>> Project: OFBiz
>>>>>> Issue Type: Sub-task
>>>>>> Components: product/catalog
>>>>>> Affects Versions: Trunk, 17.12.04, 18.12.01
>>>>>> Reporter: Jacques Le Roux
>>>>>> Assignee: Jacques Le Roux
>>>>>> Priority: Major
>>>>>> Fix For: 17.12.05, 18.12.01
>>>>>>
>>>>>>
>>>>>> Harshit Shukla harshit.shukz@gmail.com reported this RCE vulnerability
>>>>> to the OFBiz security team, and we thank him for that.
>>>>>> I'll later quote here his email message when the vulnerability will be
>>>>> fixed. It's a post-auth vulnerability so we did not ask for a CVE.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> This message was sent by Atlassian Jira
>>>>> (v8.20.1#820001)
>>>>>
Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability
Posted by Michael Brohl <mi...@ecomify.de>.
The scrum component contains a Python script which is used together with
git hooks.
So Jacques's statement was entirely accurate.
Michael
Am 04.02.22 um 14:15 schrieb Pierre Smits:
> Hi Jacques,
>
> in a posting above, you stated:
>
> * Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all,
>
>
> and I remember that functionality introduced in the scrum
> application/component was in PHP (or Python) to 'manage' scrum artefacts in
> a git repository. I did not investigate the component further. That makes
> that 'Even if OFBiz does not use PHP at all' not entirely accurate.
>
> I just thought I mention it, to make you aware of this. And potentially an
> additional issue that needs to be addressed.
>
> Met vriendelijke groet,
>
> Pierre Smits
> *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
> 2008 (without privileges)
> Proud contributor to the ASF since 2006
> *Apache Directory <https://directory.apache.org>, PMC Member*
>
> Anyone could have been you, whereas I've always been anyone.
>
>
> On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux <ja...@les7arts.com>
> wrote:
>
>> Hi Pierre,
>>
>> How is your question related?
>>
>> Le 04/02/2022 à 12:53, Pierre Smits a écrit :
>>> Hi Jacques,
>>>
>>> Wasn't there PHP code in the scrum application/ component to work with a
>>> git repository?
>>>
>>> Or was that Python?
>>>
>>>
>>> Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
>>> jira@apache.org>:
>>>
>>>> [
>>>>
>> https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487028#comment-17487028
>>>> ]
>>>>
>>>> ASF subversion and git services commented on OFBIZ-11948:
>>>> ---------------------------------------------------------
>>>>
>>>> Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
>>>> branch refs/heads/trunk from Jacques Le Roux
>>>> [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]
>>>>
>>>> Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
>>>>
>>>> Lion Tree <li...@gmail.com> has reported us that
>>>> "CVE-2020-1938 is not fully fixed".
>>>>
>>>> Though it was fixed by OFBIZ-11407, it still possible for an
>> authenticated
>>>> user
>>>> to upload a webshell included in an image using one of the upload
>>>> possibilities
>>>> in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the
>> uploads",
>>>> but
>>>> was still incomplete.
>>>>
>>>> This enforces the secured uploads by
>>>> * checking in SecuredUpload::isValidImageFile that a webshell is not
>>>> embedded in
>>>> an image.
>>>> * Keeping only "<%" as a denied token for JSP webshells, instead of
>>>> currently
>>>> "<%@ page"
>>>> * Adds "application/text/x-ruby" to SecuredUpload::isExecutable
>>>>
>>>> Also
>>>> * Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all,
>>>> it's often installed on servers.
>>>> * Removes "import=\"java" and "runtime.getruntime().exec(". They are no
>>>> longer useful since "<%" and "<jsp" block them.
>>>> * Remove php token since I'll put "<?" in.
>>>> * Adds "#!", rather than adding other shebangs like perl,python and ruby
>>>>
>>>> This will make deniedWebShellTokens more understandable.
>>>>
>>>> But I'm conscious that despite SecuredUpload::isExecutableI I still
>> need to
>>>> better handle encoded webshells. I'll do that soon in a second approach.
>>>>
>>>> I'll also certainly more prune PHP related tokens.
>>>>
>>>> Thanks: Lion Tree for report
>>>>
>>>>
>>>>> Remote Code Execution (File Upload) Vulnerability
>>>>> -------------------------------------------------
>>>>>
>>>>> Key: OFBIZ-11948
>>>>> URL:
>> https://issues.apache.org/jira/browse/OFBIZ-11948
>>>>> Project: OFBiz
>>>>> Issue Type: Sub-task
>>>>> Components: product/catalog
>>>>> Affects Versions: Trunk, 17.12.04, 18.12.01
>>>>> Reporter: Jacques Le Roux
>>>>> Assignee: Jacques Le Roux
>>>>> Priority: Major
>>>>> Fix For: 17.12.05, 18.12.01
>>>>>
>>>>>
>>>>> Harshit Shukla harshit.shukz@gmail.com reported this RCE vulnerability
>>>> to the OFBiz security team, and we thank him for that.
>>>>> I'll later quote here his email message when the vulnerability will be
>>>> fixed. It's a post-auth vulnerability so we did not ask for a CVE.
>>>>
>>>>
>>>>
>>>> --
>>>> This message was sent by Atlassian Jira
>>>> (v8.20.1#820001)
>>>>
Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability
Posted by Pierre Smits <pi...@apache.org>.
Hi Jacques,
in a posting above, you stated:
* Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all,
and I remember that functionality introduced in the scrum
application/component was in PHP (or Python) to 'manage' scrum artefacts in
a git repository. I did not investigate the component further. That makes
that 'Even if OFBiz does not use PHP at all' not entirely accurate.
I just thought I mention it, to make you aware of this. And potentially an
additional issue that needs to be addressed.
Met vriendelijke groet,
Pierre Smits
*Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory <https://directory.apache.org>, PMC Member*
Anyone could have been you, whereas I've always been anyone.
On Fri, Feb 4, 2022 at 2:06 PM Jacques Le Roux <ja...@les7arts.com>
wrote:
> Hi Pierre,
>
> How is your question related?
>
> Le 04/02/2022 à 12:53, Pierre Smits a écrit :
> > Hi Jacques,
> >
> > Wasn't there PHP code in the scrum application/ component to work with a
> > git repository?
> >
> > Or was that Python?
> >
> >
> > Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
> > jira@apache.org>:
> >
> >> [
> >>
> https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487028#comment-17487028
> >> ]
> >>
> >> ASF subversion and git services commented on OFBIZ-11948:
> >> ---------------------------------------------------------
> >>
> >> Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
> >> branch refs/heads/trunk from Jacques Le Roux
> >> [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]
> >>
> >> Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
> >>
> >> Lion Tree <li...@gmail.com> has reported us that
> >> "CVE-2020-1938 is not fully fixed".
> >>
> >> Though it was fixed by OFBIZ-11407, it still possible for an
> authenticated
> >> user
> >> to upload a webshell included in an image using one of the upload
> >> possibilities
> >> in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the
> uploads",
> >> but
> >> was still incomplete.
> >>
> >> This enforces the secured uploads by
> >> * checking in SecuredUpload::isValidImageFile that a webshell is not
> >> embedded in
> >> an image.
> >> * Keeping only "<%" as a denied token for JSP webshells, instead of
> >> currently
> >> "<%@ page"
> >> * Adds "application/text/x-ruby" to SecuredUpload::isExecutable
> >>
> >> Also
> >> * Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all,
> >> it's often installed on servers.
> >> * Removes "import=\"java" and "runtime.getruntime().exec(". They are no
> >> longer useful since "<%" and "<jsp" block them.
> >> * Remove php token since I'll put "<?" in.
> >> * Adds "#!", rather than adding other shebangs like perl,python and ruby
> >>
> >> This will make deniedWebShellTokens more understandable.
> >>
> >> But I'm conscious that despite SecuredUpload::isExecutableI I still
> need to
> >> better handle encoded webshells. I'll do that soon in a second approach.
> >>
> >> I'll also certainly more prune PHP related tokens.
> >>
> >> Thanks: Lion Tree for report
> >>
> >>
> >>> Remote Code Execution (File Upload) Vulnerability
> >>> -------------------------------------------------
> >>>
> >>> Key: OFBIZ-11948
> >>> URL:
> https://issues.apache.org/jira/browse/OFBIZ-11948
> >>> Project: OFBiz
> >>> Issue Type: Sub-task
> >>> Components: product/catalog
> >>> Affects Versions: Trunk, 17.12.04, 18.12.01
> >>> Reporter: Jacques Le Roux
> >>> Assignee: Jacques Le Roux
> >>> Priority: Major
> >>> Fix For: 17.12.05, 18.12.01
> >>>
> >>>
> >>> Harshit Shukla harshit.shukz@gmail.com reported this RCE vulnerability
> >> to the OFBiz security team, and we thank him for that.
> >>> I'll later quote here his email message when the vulnerability will be
> >> fixed. It's a post-auth vulnerability so we did not ask for a CVE.
> >>
> >>
> >>
> >> --
> >> This message was sent by Atlassian Jira
> >> (v8.20.1#820001)
> >>
>
Re: [jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Pierre,
How is your question related?
Le 04/02/2022 à 12:53, Pierre Smits a écrit :
> Hi Jacques,
>
> Wasn't there PHP code in the scrum application/ component to work with a
> git repository?
>
> Or was that Python?
>
>
> Op vr 4 feb. 2022 12:32 schreef ASF subversion and git services (Jira) <
> jira@apache.org>:
>
>> [
>> https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487028#comment-17487028
>> ]
>>
>> ASF subversion and git services commented on OFBIZ-11948:
>> ---------------------------------------------------------
>>
>> Commit b0b02034eecf8d18ac7ea12f34469ec511269fa0 in ofbiz-framework's
>> branch refs/heads/trunk from Jacques Le Roux
>> [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b0b0203 ]
>>
>> Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
>>
>> Lion Tree <li...@gmail.com> has reported us that
>> "CVE-2020-1938 is not fully fixed".
>>
>> Though it was fixed by OFBIZ-11407, it still possible for an authenticated
>> user
>> to upload a webshell included in an image using one of the upload
>> possibilities
>> in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the uploads",
>> but
>> was still incomplete.
>>
>> This enforces the secured uploads by
>> * checking in SecuredUpload::isValidImageFile that a webshell is not
>> embedded in
>> an image.
>> * Keeping only "<%" as a denied token for JSP webshells, instead of
>> currently
>> "<%@ page"
>> * Adds "application/text/x-ruby" to SecuredUpload::isExecutable
>>
>> Also
>> * Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all,
>> it's often installed on servers.
>> * Removes "import=\"java" and "runtime.getruntime().exec(". They are no
>> longer useful since "<%" and "<jsp" block them.
>> * Remove php token since I'll put "<?" in.
>> * Adds "#!", rather than adding other shebangs like perl,python and ruby
>>
>> This will make deniedWebShellTokens more understandable.
>>
>> But I'm conscious that despite SecuredUpload::isExecutableI I still need to
>> better handle encoded webshells. I'll do that soon in a second approach.
>>
>> I'll also certainly more prune PHP related tokens.
>>
>> Thanks: Lion Tree for report
>>
>>
>>> Remote Code Execution (File Upload) Vulnerability
>>> -------------------------------------------------
>>>
>>> Key: OFBIZ-11948
>>> URL: https://issues.apache.org/jira/browse/OFBIZ-11948
>>> Project: OFBiz
>>> Issue Type: Sub-task
>>> Components: product/catalog
>>> Affects Versions: Trunk, 17.12.04, 18.12.01
>>> Reporter: Jacques Le Roux
>>> Assignee: Jacques Le Roux
>>> Priority: Major
>>> Fix For: 17.12.05, 18.12.01
>>>
>>>
>>> Harshit Shukla harshit.shukz@gmail.com reported this RCE vulnerability
>> to the OFBiz security team, and we thank him for that.
>>> I'll later quote here his email message when the vulnerability will be
>> fixed. It's a post-auth vulnerability so we did not ask for a CVE.
>>
>>
>>
>> --
>> This message was sent by Atlassian Jira
>> (v8.20.1#820001)
>>