Uploaded image for project: 'Causeway'
  1. Causeway
  2. CAUSEWAY-3128

[Security] h2 console potentially vulnerable to code execution

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Resolved
    • 2.0.0-M7
    • 2.0.0-M8
    • Demo App

    Description

      First of all: I am not sure if the service is intentionally set by the project. But: As the current ISIS version (7.9.0) that is used by isis is vulnerable to it, I guess it might be relevant to you.

       

      h2 database external access is enabled and use SA admin user by default, resulting in code execution

       

      Access 127.0.0.1:8080/db , you can log in without additional username and password. Because project permit SA login, like 1.png, 2.png

       

      SA account can execute sql query, cause code execute, like 3.png

       

      poc like this

      CREATE ALIAS GET_SYSTEM_PROPERTY FOR "java.lang.System.getProperty";
      CALL GET_SYSTEM_PROPERTY('java.class.path');

       

      Even if h2 db web login is a normal servie, I think it needs to be set to prohibit remote browse login

       

      Attachments

        1. 1.png
          52 kB
          WilliamThomson
        2. 2.png
          470 kB
          WilliamThomson
        3. 3.png
          1.06 MB
          WilliamThomson

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            hobrom Andi Huber
            Thomson WilliamThomson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment