[OFBIZ-12315] OFBiz Arbitrary file read vulnerability - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Not A Problem
Affects Version/s: Trunk
Fix Version/s: None
Component/s: content
Labels:
None

Sprint:
Bug Crush Event - 21/2/2015

Description

This post-auth security issue was reported to the security team by weinull orz <weinull@outlook.com>

Hi,I found an arbitrary file read vulnerability in OFBiz,through this vulnerability, you can read system sensitive files and application configuration files (including database account passwords and other configurations)

URL:
content/control/updateLayoutSubContent
Content -> Template -> Create New

OFBIz version: 17.12.08

Vulnerability Repair:
Strictly restrict accessible files.

Orz Team of weinull

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

截屏2021-08-14 03.31.07.png
14/Sep/21 09:33
281 kB
Jacques Le Roux

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Jacques Le Roux

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 14/Sep/21 09:31

Updated:: 14/Sep/21 17:05

Resolved:: 14/Sep/21 13:25