[ofbiz-framework] branch release18.12 updated: Fixed: Groovy denied list bypass causes post-auth RCE from webtools/control/ProgramExport (OFBIZ-12571)

Fri, 11 Feb 2022 02:03:22 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 9e5fe10  Fixed: Groovy denied list bypass causes post-auth RCE from 
webtools/control/ProgramExport (OFBIZ-12571)
9e5fe10 is described below

commit 9e5fe107368247bb9df81fa5b2900e489a515ddd
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Feb 11 10:52:43 2022 +0100

    Fixed: Groovy denied list bypass causes post-auth RCE from 
webtools/control/ProgramExport (OFBIZ-12571)
    
    The 1st issue was due to use of processbuilder token. It has been added to
    deniedWebShellTokens in security.properties by f2cf262 commit for OFBIZ 
11948
    The tokens function (for js) and class have been added since while browsing
    https://github.com/tennc/webshell
    
    As mention the related deniedWebShellTokens TODO comment: "TODO.... to be 
continued
    with known webshell contents... a complete allow list is impossible 
anyway...
    
    So, later a deeper review of Groovy sandbox possibilities will be done..
    
    Thanks: Y4er for report
---
 framework/security/config/security.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index e8085fe..b91569c 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -219,7 +219,7 @@ allowAllUploads=
 
deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,scriptlet>,declaration>,expression>,<c:out,taglib,<prefix,<%@
 page,\
                      
%eval,@eval,runtime,import,passthru,shell_exec,assert,str_rot13,system,base64_decode,include,\
                      chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,\
-                     python,perl ,/perl,ruby ,/ruby,processbuilder
+                     python,perl ,/perl,ruby 
,/ruby,processbuilder,function,class
 #-- IMPORTANT: when you change things here you need to do accordingly in 
SecurityUtilTest::webShellTokensTesting and run "gradlew test" --
 
 #-- Popup last-visited time from database after user has logged in.

Reply via email to