Details

    • Bug Crush Event - 21/2/2015

    Description

      2020/08/10 the OFBiz security team received a security report by Harshit Shukla <harshit.shukz@gmail.com>, roughly it was (quoting part of it to simplify):

      I have identified a Remote Code Execution (RCE) Vulnerability. The reason behind this RCE is lack of file extension check at catalog/control/UploadCategoryImage?productCategoryId=CATALOG1_BEST_SELL&pload_file_type=category

      Using this post-auth RCE in OFBiz demos, Harshit was able to get some AWS credentials by uploading a webshell (based on [0]). By security, it was then decided by the Infra and OFBiz security teams to shut down the demos.

      After I decided we needed to secure all our uploads and not only checking extensions, I began to work on the vulnerablity. During this work I discovered, according to [1] and [2], that these AWS credentials are so far considered harmless.

      This post-auth RCE relies on the demo data. In our documentation[3], we warn our users to not use the demo data. Notably because they allow to sign in as an admin!

      After discussing these elements with Mark J Cox (VP of ASF security team[4]) we in common decided that no CVE was necessary.

      [0] https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp
      [1] https://ibreak.software/2020/04/what-are-these-reserved-set-of-security-credentials-in-aws/
      [2] https://twitter.com/SpenGietz/status/1104198404471631872
      [3] https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deployment
      [4] https://awe.com/mark/history/index.html

      Attachments

        1. OFBIZ-12080.patch
          3 kB
          Jacques Le Roux

        Issue Links

          Activity

            People

              jleroux Jacques Le Roux
              jleroux Jacques Le Roux
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: