ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (Jira)" <j...@apache.org>
Subject [jira] [Created] (OFBIZ-11196) Path Traversal in webtools/control/FetchLogs and ViewFile
Date Thu, 12 Sep 2019 15:12:00 GMT
Jacques Le Roux created OFBIZ-11196:

             Summary: Path Traversal in webtools/control/FetchLogs and ViewFile
                 Key: OFBIZ-11196
                 URL: https://issues.apache.org/jira/browse/OFBIZ-11196
             Project: OFBiz
          Issue Type: Bug
          Components: framework/webtools
    Affects Versions: Trunk
            Reporter: Jacques Le Roux

This was reported to the OFBiz security team by Jason Nordenstam from offensive-security.com.
We did not consider it as a real security issue because it requires authentication.

Authenticated users can use the Fetch Logs functionality to view arbitrary files on the host
OS by modifying the "logFileName" parameter.

While the web application submits the affected URL as a POST request, it can be converted
to a GET for ease of use.

Affected URLs:

see attachments ofbiz_path_traversal_1.png and ofbiz_path_traversal_2.png

That can indeed be easily reproduced at

This message was sent by Atlassian Jira

View raw message