You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/04 11:31:55 UTC
[ofbiz-framework] branch trunk updated (6889ed1 -> 5b1843f)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.
from 6889ed1 Improved: no functional change, adds a BuildBot badge (INFRA-22807)
new b0b0203 Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
new 5b1843f Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
framework/catalina/ofbiz-component.xml | 12 ++++++++++--
framework/security/config/security.properties | 6 +++---
.../main/java/org/apache/ofbiz/security/SecuredUpload.java | 4 +++-
3 files changed, 16 insertions(+), 6 deletions(-)
[ofbiz-framework] 01/02: Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit b0b02034eecf8d18ac7ea12f34469ec511269fa0
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Fri Feb 4 04:30:13 2022 +0100
Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
Lion Tree <li...@gmail.com> has reported us that
"CVE-2020-1938 is not fully fixed".
Though it was fixed by OFBIZ-11407, it still possible for an authenticated user
to upload a webshell included in an image using one of the upload possibilities
in OFBiz. That is not new and covered by OFBIZ-12080 "Secure the uploads", but
was still incomplete.
This enforces the secured uploads by
* checking in SecuredUpload::isValidImageFile that a webshell is not embedded in
an image.
* Keeping only "<%" as a denied token for JSP webshells, instead of currently
"<%@ page"
* Adds "application/text/x-ruby" to SecuredUpload::isExecutable
Also
* Adds "<jsp", and "<?" for PHP. Even if OFBiz does not use PHP at all,
it's often installed on servers.
* Removes "import=\"java" and "runtime.getruntime().exec(". They are no
longer useful since "<%" and "<jsp" block them.
* Remove php token since I'll put "<?" in.
* Adds "#!", rather than adding other shebangs like perl,python and ruby
This will make deniedWebShellTokens more understandable.
But I'm conscious that despite SecuredUpload::isExecutableI I still need to
better handle encoded webshells. I'll do that soon in a second approach.
I'll also certainly more prune PHP related tokens.
Thanks: Lion Tree for report
---
framework/security/config/security.properties | 6 +++---
.../src/main/java/org/apache/ofbiz/security/SecuredUpload.java | 4 +++-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 5816f0c..9eccffb 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -238,9 +238,9 @@ allowAllUploads=
#-- eg: https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/
#-- "freemarker" should be OK, should not be used in Freemarker templates, not part of the syntax.
#-- Else "template.utility.Execute" is a good replacement but not as much catching, who knows...
-deniedWebShellTokens=freemarker,import=\"java,runtime.getruntime().exec(,<%@ page,<script,<body>,<form,php,\
- javascript,%eval,@eval,import os,passthru,exec,shell_exec,assert,str_rot13,system,phpinfo,base64_decode,chmod,mkdir,\
- fopen,fclose,new file,import,upload,getfilename,download,getoutputstring,readfile
+deniedWebShellTokens=<%,<jsp:,<?,#!,freemarker,<script,javascript,%eval,@eval,<body>,<form,\
+ import os,passthru,exec,shell_exec,assert,str_rot13,system,base64_decode,chmod,mkdir,\
+ fopen,fclose,new file,import,upload,getfilename,download,getoutputstring,readfile
#-- Popup last-visited time from database after user has logged in.
#-- So users can know of any unauthorised access to their accounts.
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 038733d..0f09496 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -244,7 +244,8 @@ public class SecuredUpload {
|| imageFormat.equals(ImageFormats.GIF)
|| imageFormat.equals(ImageFormats.TIFF)
|| imageFormat.equals(ImageFormats.JPEG))
- && imageMadeSafe(fileName);
+ && imageMadeSafe(fileName)
+ && isValidTextFile(fileName);
}
/**
@@ -418,6 +419,7 @@ public class SecuredUpload {
if ("application/x-elf".equals(mimeType)
|| "application/x-sh".equals(mimeType)
|| "application/text/x-perl".equals(mimeType)
+ || "application/text/x-ruby".equals(mimeType)
|| "application/text/x-python".equals(mimeType)) {
Debug.logError("The file" + fileName + " is a Linux executable, for security reason it's not accepted :", MODULE);
return true;
[ofbiz-framework] 02/02: Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 5b1843f1c068b93d928420c80c1a8301990ef580
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Fri Feb 4 12:28:47 2022 +0100
Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
Despite OFBIZ-11407, the 2 values secretRequired and especially
allowedRequestAttributesPattern are commented out because of OFBIZ-12558
The Tomcat default values will be used as recommended by
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
This is in relation with
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
and
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
Thanks: Lion Tree for report
---
framework/catalina/ofbiz-component.xml | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/framework/catalina/ofbiz-component.xml b/framework/catalina/ofbiz-component.xml
index b323ebb..a06eddc 100644
--- a/framework/catalina/ofbiz-component.xml
+++ b/framework/catalina/ofbiz-component.xml
@@ -74,9 +74,17 @@ under the License.
<property name="secure" value="false"/>
<property name="URIEncoding" value="UTF-8"/>
<property name="xpoweredBy" value="false"/>
- <property name="secretRequired" value="false"/>
- <property name="allowedRequestAttributesPattern" value=".*"/>
<!-- AJP/13 connector attributes -->
+ <!-- Despite OFBIZ-11407, the 2 values below are commented out because of OFBIZ-12558
+ The Tomcat default values will be used as recommended by
+ https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
+ This is in relation with
+ https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
+ and
+ https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
+ -->
+ <!-- <property name="secretRequired" value="false"/>
+ <property name="allowedRequestAttributesPattern" value=".*"/> -->
<!-- commented out because the values match the Tomcat defaults:
<property name="tomcatAuthentication" value="true"/>
<property name="allowTrace" value="false"/>