Jacques Le Roux created OFBIZ-11196:
---------------------------------------
Summary: Path Traversal in webtools/control/FetchLogs and ViewFile
Key: OFBIZ-11196
URL:
https://issues.apache.org/jira/browse/OFBIZ-11196 Project: OFBiz
Issue Type: Bug
Components: framework/webtools
Affects Versions: Trunk
Reporter: Jacques Le Roux
This was reported to the OFBiz security team by Jason Nordenstam from offensive-security.com. We did not consider it as a real security issue because it requires authentication.
{quote}
Authenticated users can use the Fetch Logs functionality to view arbitrary files on the host OS by modifying the "logFileName" parameter.
While the web application submits the affected URL as a POST request, it can be converted to a GET for ease of use.
Affected URLs:
/webtools/control/FetchLogs?logFileName
/webtools/control/ViewFile?fileName
Screenshots:
see attachments ofbiz_path_traversal_1.png and ofbiz_path_traversal_2.png
{quote}
That can indeed be easily reproduced at
https://demo-trunk.ofbiz.apache.org/webtools/control/FetchLogs?logFileName=../../../../../../etc/passwdhttps://demo-trunk.ofbiz.apache.org/webtools/control/ViewFile?fileName=../../../../../../etc/passwd--
This message was sent by Atlassian Jira
(v8.3.2#803003)
Locked
