[jira] [Updated] (OFBIZ-12080) Secure the uploads

     [ https://issues.apache.org/jira/browse/OFBIZ-12080?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-12080:
------------------------------------
    Description:
2020/08/10 the OFBiz security team received a security report by Harshit Shukla <[hidden email]>, roughly it was (quoting part of it to simplify):

bq. I have identified a Remote Code Execution (RCE) Vulnerability. The reason behind this RCE is lack of file extension check at catalog/control/UploadCategoryImage?productCategoryId=CATALOG1_BEST_SELL&pload_file_type=category

Using this post-auth RCE in OFBiz demos, Harshit was able to get some AWS credentials by uploading a webshell (based on [0]). By security, it was then decided by the Infra and OFBiz security teams to shut down the demos.

After I decided we needed to secure all our uploads and not only checking extensions, I began to work on the vulnerablity. During this work I discovered, according to [1] and [2], that these AWS credentials are so far considered harmless.

This post-auth RCE relies on the demo data. In our documentation[3], we warn our users to not use the demo data. Notably because they allow to sign in as an admin!

After discussing these elements with Mark J Cox (VP of ASF security team[4]) we in common decided that no CVE was necessary.

[0] https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp
[1] https://ibreak.software/2020/04/what-are-these-reserved-set-of-security-credentials-in-aws/
[2] https://twitter.com/SpenGietz/status/1104198404471631872
[3] https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deployment
[4] https://awe.com/mark/history/index.html


  was:
2020/08/10 the OFBiz security team received a security report by Harshit Shukla <[hidden email]>, roughly it was (quoting part of it to simplify):

bq. I have identified a Remote Code Execution (RCE) Vulnerability. The reason behind this RCE is lack of file extension check at catalog/control/UploadCategoryImage?productCategoryId=CATALOG1_BEST_SELL&pload_file_type=category

Using this post-auth RCE in OFBiz demos, Harshit was able to get some AWS credentials by uploading a webshell (based on [0]). By security, it was then decided by the Infra and OFBiz security teams to shut down the demos.

After I decided we needed to secure all our uploads and not only checking extensions, I began to work on the vulnerablity. During this work I discovered, according to [1] and [2], that these AWS credentials are so far considered harmless.

This post-auth RCE relies on the demo data. For a long time in our documentation, we warn our users to not use the demo data. Notably because they allow to sign in as an admin!

After discussing twice these elements with Mark J Cox (VP of ASF security team[3]) we in common decided that no CVE was necessary.

[0] https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp
[1] https://ibreak.software/2020/04/what-are-these-reserved-set-of-security-credentials-in-aws/
[2] https://twitter.com/SpenGietz/status/1104198404471631872
[3] https://awe.com/mark/history/index.html




--
This message was sent by Atlassian Jira
(v8.3.4#803005)