[OFBIZ-11196] Path Traversal in webtools/control/FetchLogs and ViewFile - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Trunk
Fix Version/s: 16.11.07, 17.12.01, 18.12.01
Component/s: framework/webtools
Labels:
None

Sprint:
Bug Crush Event - 21/2/2015

Description

This was reported to the OFBiz security team by Jason Nordenstam from offensive-security.com. We did not consider it as a real security issue because it requires authentication.

Authenticated users can use the Fetch Logs functionality to view arbitrary files on the host OS by modifying the "logFileName" parameter.

While the web application submits the affected URL as a POST request, it can be converted to a GET for ease of use.

Affected URLs:
/webtools/control/FetchLogs?logFileName
/webtools/control/ViewFile?fileName

Screenshots:
see attachments ofbiz_path_traversal_1.png and ofbiz_path_traversal_2.png

That can indeed be easily reproduced at
https://demo-trunk.ofbiz.apache.org/webtools/control/FetchLogs?logFileName=../../../../../../etc/passwd
https://demo-trunk.ofbiz.apache.org/webtools/control/ViewFile?fileName=../../../../../../etc/passwd

Attachments

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Jacques Le Roux

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 12/Sep/19 15:11

Updated:: 16/Sep/19 08:22

Resolved:: 16/Sep/19 08:22