ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (Jira)" <j...@apache.org>
Subject [jira] [Created] (OFBIZ-11196) Path Traversal in webtools/control/FetchLogs and ViewFile
Date Thu, 12 Sep 2019 15:12:00 GMT
Jacques Le Roux created OFBIZ-11196:
---------------------------------------

             Summary: Path Traversal in webtools/control/FetchLogs and ViewFile
                 Key: OFBIZ-11196
                 URL: https://issues.apache.org/jira/browse/OFBIZ-11196
             Project: OFBiz
          Issue Type: Bug
          Components: framework/webtools
    Affects Versions: Trunk
            Reporter: Jacques Le Roux


This was reported to the OFBiz security team by Jason Nordenstam from offensive-security.com.
We did not consider it as a real security issue because it requires authentication.

{quote}
Authenticated users can use the Fetch Logs functionality to view arbitrary files on the host
OS by modifying the "logFileName" parameter.

While the web application submits the affected URL as a POST request, it can be converted
to a GET for ease of use.

Affected URLs:
/webtools/control/FetchLogs?logFileName
/webtools/control/ViewFile?fileName

Screenshots:
see attachments ofbiz_path_traversal_1.png and ofbiz_path_traversal_2.png
{quote}

That can indeed be easily reproduced at
https://demo-trunk.ofbiz.apache.org/webtools/control/FetchLogs?logFileName=../../../../../../etc/passwd
https://demo-trunk.ofbiz.apache.org/webtools/control/ViewFile?fileName=../../../../../../etc/passwd



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Mime
View raw message