OFBiz › OFBiz - Notifications

[jira] [Commented] (OFBIZ-12080) Secure the uploads

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Commented] (OFBIZ-12080) Secure the uploads

[ https://issues.apache.org/jira/browse/OFBIZ-12080?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17249066#comment-17249066 ]

ASF subversion and git services commented on OFBIZ-12080:
---------------------------------------------------------

Commit ba6470b9eaab8913a3d8c1305774c2321c338e38 in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=ba6470b ]

Fixed: Secure the uploads (OFBIZ-12080)

Follows OWASP advice on file names:

All the control characters and Unicode ones should be removed from the filenames
and their extensions without any exception. Also, the special characters such as
“;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be
discarded as well.

If it is applicable and there is no need to have Unicode characters, it is
highly recommended to only accept Alpha-Numeric characters and only 1 dot as an
input for the file name and the extension; in which the file name and also the
extension should not be empty at all
(regular expression: [a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}).

So if someone needs other chars in uploaded filenames a change will be needed

> Secure the uploads
> ------------------
>
> Key: OFBIZ-12080
> URL: https://issues.apache.org/jira/browse/OFBIZ-12080
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL APPLICATIONS, ALL PLUGINS
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.01, 17.12.05
>
>
> 2020/08/10 the OFBiz security team received a security report by Harshit Shukla <[hidden email]>, roughly it was (quoting part of it to simplify):
> bq. I have identified a Remote Code Execution (RCE) Vulnerability. The reason behind this RCE is lack of file extension check at catalog/control/UploadCategoryImage?productCategoryId=CATALOG1_BEST_SELL&pload_file_type=category
> Using this post-auth RCE in OFBiz demos, Harshit was able to get some AWS credentials by uploading a webshell (based on [0]). By security, it was then decided by the Infra and OFBiz security teams to shut down the demos.
> After I decided we needed to secure all our uploads and not only checking extensions, I began to work on the vulnerablity. During this work I discovered, according to [1] and [2], that these AWS credentials are so far considered harmless.
> This post-auth RCE relies on the demo data. In our documentation[3], we warn our users to not use the demo data. Notably because they allow to sign in as an admin!
> After discussing these elements with Mark J Cox (VP of ASF security team[4]) we in common decided that no CVE was necessary.
> [0] https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp
> [1] https://ibreak.software/2020/04/what-are-these-reserved-set-of-security-credentials-in-aws/
> [2] https://twitter.com/SpenGietz/status/1104198404471631872
> [3] https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deployment
> [4] https://awe.com/mark/history/index.html

--
This message was sent by Atlassian Jira
(v8.3.4#803005)