[ofbiz-framework] branch release18.12 updated: Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite (OFBIZ-12584)

Sun, 27 Feb 2022 09:28:39 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 06006f1  Fixed: Stored XSS in webappPath parameter from 
content/control/EditWebSite (OFBIZ-12584)
06006f1 is described below

commit 06006f1666b2a81efcde4ec49d330c5fe1197e9f
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sun Feb 27 18:24:20 2022 +0100

    Fixed: Stored XSS in webappPath parameter from content/control/EditWebSite 
(OFBIZ-12584)
    
    Adds <<",","+",',','+'>> to deniedWebShellTokens as an obviously non 
satisfying
    (because images may contain those strings, I checked) temporary solution 
before
    looking at Freemarker::WhitelistMemberAccessPolicy as suggested by Matei
    
    Thanks to Matei "Mal" Badanoiu for reporting this post-auth vulnerabily
---
 framework/security/config/security.properties | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index 47f83e1..6a8ae69 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -232,8 +232,9 @@ 
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,<form,<jsp:
                      
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
 ,\
                      chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,<svg
 ,\
                      python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,wget ,static,\
-                     ifconfig,route,crontab,netstat,uname 
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost
-
+                     ifconfig,route,crontab,netstat,uname 
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,\
+                     ",","+",',','+'
+#-- Last line is a non satisfying (because images may contain those strings) 
temporary solution before looking at Freemarker::WhitelistMemberAccessPolicy
 
 #-- Max line length for uploaded files, by default 10000
 maxLineLength=

Reply via email to