[CAUSEWAY-3128] [Security] h2 console potentially vulnerable to code execution - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Resolved
Affects Version/s: 2.0.0-M7
Fix Version/s: 2.0.0-M8
Component/s: Demo App
Labels:
- security

Language:
- sql

Description

First of all: I am not sure if the service is intentionally set by the project. But: As the current ISIS version (7.9.0) that is used by isis is vulnerable to it, I guess it might be relevant to you.

h2 database external access is enabled and use SA admin user by default, resulting in code execution

Access 127.0.0.1:8080/db , you can log in without additional username and password. Because project permit SA login, like 1.png, 2.png

SA account can execute sql query, cause code execute, like 3.png

poc like this

CREATE ALIAS GET_SYSTEM_PROPERTY FOR "java.lang.System.getProperty";
CALL GET_SYSTEM_PROPERTY('java.class.path');

Even if h2 db web login is a normal servie, I think it needs to be set to prohibit remote browse login

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

1.png
19/Aug/22 06:25
52 kB
WilliamThomson
2.png
19/Aug/22 06:26
470 kB
WilliamThomson
3.png
19/Aug/22 06:37
1.06 MB
WilliamThomson

Activity

People

Assignee:: Andi Huber

Reporter:: WilliamThomson

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 19/Aug/22 06:48

Updated:: 25/Jan/23 10:26

Resolved:: 21/Aug/22 07:42