Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0041401Openbravo ERPC. Securitypublic2019-07-18 17:512019-08-22 14:45
dlescos 
alostale 
highmajoralways
closedfixed 
30Openbravo Appliance 14.04
3.0PR18Q3.5 
3.0PR19Q4 
caristu
User Interface Application
No
0041401: Security Issue - Path Traversal with Attachments
Attachments are vulnerable to path traversal attack by modifiying the inpKey parameter while the file is submitted, letting the Openbravo user access the server file system and replace files.

The issue lies in the
_org.openbravo.client.application.attachment.getAttachmentDirectoryForNewAttachment_ method which does not check the _inpKeyId_ value, used to create the subdirectories in attachments.

This value is later splitted in three-characters directories (_splitPath_ method, same class). This does not prevent the user from accessing large portions of the underlying file system.

Furthermore, informations on the attachments directory location on the server can be gained by providing a non existing path, which results in the user error message displaying the attachments directory absolute path.

This implies two immediate possibilities :
- if the attachments directory is contained in the main Openbravo directory, then files in _web_ and _web/js_ and _src/{build.xml, index.jsp,...}_ can be replaced.
- On UNIX, if the attachments directory is a subdirectory of _$HOME_, _.bashrc_ can be replaced.
The following has been tested on the last openbravo sourceforge appliance (3.0PR18Q3.5).

Open a transaction window that provides the attachments feature, let's say _"Sales Order"_.

## Collect informations
Click __"[ Add ]"__ in the Attachments section
Choose you __test_file.txt__ file with the __"Choose File"__ button.

Click __"Submit"__ and intercept the post request to __businessUtility/TabAttachments_FS.html__ and manually update the json parameter __paramValues.inpKey()__ with some impossible path like __../../../../../../../../../__ which will become __attachments/259/../../../../../../../../../__

Then forward the updated request. This should display _"Could not move report to final destination: /opt/OpenbravoERP/attachments/259/../../../../../../../../../test_file.txt"_
You have gained informations on the attachments path.

## Replace a file on the file system
Same as above but with a valid _inpKey_ path. For example on the test appliance:
../../webjs which will be expanded to attachments/259/../../web/js.
Set the _SaveAttachmentsOldWay_ to _Y_ is an immediate solution.

A possible patch would be to update the _org.openbravo.client.application.attachment.getAttachmentDirectoryForNewAttachment_ to check the whole path does not contain the ".." substring before _FileUtils.copyFileToDirectory_ is called.
No tags attached.
depends on backport 00414113.0PR19Q3 closed alostale Security Issue - Path Traversal with Attachments 
depends on backport 00414123.0PR19Q2.2 closed alostale Security Issue - Path Traversal with Attachments 
depends on backport 00414133.0PR19Q1.3 closed alostale Security Issue - Path Traversal with Attachments 
Issue History
2019-07-18 17:51dlescosNew Issue
2019-07-18 17:51dlescosAssigned To => platform
2019-07-18 17:51dlescosModules => User Interface Application
2019-07-18 17:51dlescosTriggers an Emergency Pack => No
2019-07-22 12:47alostaleStatusnew => scheduled
2019-07-22 12:48alostaleReview Assigned To => caristu
2019-07-22 12:48alostaleAssigned Toplatform => alostale
2019-07-22 13:10hgbotCheckin
2019-07-22 13:10hgbotNote Added: 0113560
2019-07-22 13:10hgbotStatusscheduled => resolved
2019-07-22 13:10hgbotResolutionopen => fixed
2019-07-22 13:10hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/922ad4794b2f9930dfa8ca3c0d9076555c2ea3e2 [^]
2019-07-26 08:30caristuNote Added: 0113658
2019-07-26 08:30caristuStatusresolved => closed
2019-07-26 08:30caristuFixed in Version => 3.0PR19Q4
2019-07-26 09:40hgbotCheckin
2019-07-26 09:40hgbotNote Added: 0113668
2019-08-22 14:44hudsonbotCheckin
2019-08-22 14:44hudsonbotNote Added: 0114170
2019-08-22 14:45hudsonbotCheckin
2019-08-22 14:45hudsonbotNote Added: 0114178

Notes
(0113560)
hgbot   
2019-07-22 13:10   
Repository: erp/devel/pi
Changeset: 922ad4794b2f9930dfa8ca3c0d9076555c2ea3e2
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Mon Jul 22 13:10:02 2019 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/922ad4794b2f9930dfa8ca3c0d9076555c2ea3e2 [^]

fixed issue 41401: incorrect attachment key management

  The changeset includes:
    * Checking key sent from customer is a valid ID
    * Check the record is readable when uploading files
    * Check there is an acutal record for a given key

---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/attachment/AttachImplementationManager.java
M src/org/openbravo/erpCommon/businessUtility/TabAttachments.java
---
(0113658)
caristu   
2019-07-26 08:30   
Reviewed + tested OK.
(0113668)
hgbot   
2019-07-26 09:40   
Repository: erp/devel/pi
Changeset: f12cfbd48d9c4f755762b792a9481ef217a00dea
Author: Carlos Aristu <carlos.aristu <at> openbravo.com>
Date: Fri Jul 26 09:40:04 2019 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/f12cfbd48d9c4f755762b792a9481ef217a00dea [^]

related to issue 41401: fix typo

---
M src/org/openbravo/erpCommon/businessUtility/TabAttachments.java
---
(0114170)
hudsonbot   
2019-08-22 14:44   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/ad3efd3bd07c [^]
Maturity status: Test
(0114178)
hudsonbot   
2019-08-22 14:45   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/ad3efd3bd07c [^]
Maturity status: Test