Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-11196

Path Traversal in webtools/control/FetchLogs and ViewFile

    XMLWordPrintableJSON

    Details

    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      This was reported to the OFBiz security team by Jason Nordenstam from offensive-security.com. We did not consider it as a real security issue because it requires authentication.

      Authenticated users can use the Fetch Logs functionality to view arbitrary files on the host OS by modifying the "logFileName" parameter.

      While the web application submits the affected URL as a POST request, it can be converted to a GET for ease of use.

      Affected URLs:
      /webtools/control/FetchLogs?logFileName
      /webtools/control/ViewFile?fileName

      Screenshots:
      see attachments ofbiz_path_traversal_1.png and ofbiz_path_traversal_2.png

      That can indeed be easily reproduced at
      https://demo-trunk.ofbiz.apache.org/webtools/control/FetchLogs?logFileName=../../../../../../etc/passwd
      https://demo-trunk.ofbiz.apache.org/webtools/control/ViewFile?fileName=../../../../../../etc/passwd

        Attachments

          Activity

            People

            • Assignee:
              jleroux Jacques Le Roux
              Reporter:
              jleroux Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: