Fixed: Secure the uploads (OFBIZ-12080)
2020/08/10 the OFBiz security team received a security report by Harshit Shukla
<harshit.shukz@gmail.com>, roughly it was (quoting part of it to simplify):
<<I have identified a Remote Code Execution (RCE) Vulnerability. The reason
behind this RCE is lack of file extension check at
catalog/control/UploadCategoryImage?productCategoryId=CATALOG1_BEST_SELL&pload_file_type=category>>
Using this post-auth RCE in OFBiz demos, Harshit was able to get some AWS
credentials by uploading a webshell (based on [0]).
By security, it was then decided by the Infra and OFBiz security teams to shut
down the demos.
After discussing the elements reported with Mark J Cox (VP of ASF security team)
we in common decided that no CVE was necessary.
# Conflicts handled by hand in R18:
# applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java
# applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
# applications/product/groovyScripts/catalog/category/EditCategory.groovy
# applications/product/groovyScripts/catalog/config/EditProductConfigItemContent.groovy
# applications/product/groovyScripts/catalog/imagemanagement/ImageUpload.groovy
# applications/product/groovyScripts/catalog/imagemanagement/SetDefaultImage.groovy
# applications/product/groovyScripts/catalog/product/EditProductContent.groovy
# applications/product/src/main/java/org/apache/ofbiz/product/image/ScaleImage.java
# applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
# applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/ImageManagementServices.java
# applications/product/src/main/java/org/apache/ofbiz/product/product/ProductServices.java
# build.gradle
# framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java
# framework/base/src/main/java/org/apache/ofbiz/base/util/HttpRequestFileUpload.java
# framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
# framework/security/config/security.properties
# Conflicts handled by hand in R17:
# applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java
# applications/content/src/main/java/org/apache/ofbiz/content/data/DataServices.java
# applications/datamodel/data/seed/ContentSeedData.xml
# build.gradle
# framework/base/src/main/java/org/apache/ofbiz/base/util/HttpRequestFileUpload.java
21 files changed
