0041401: Security Issue - Path Traversal with Attachments

Openbravo Issue Tracking System - Openbravo ERP

View Issue Details

Project

Category

View Status

Date Submitted

Last Update

0041401

Openbravo ERP

C. Security

public

2019-07-18 17:51

2019-08-22 14:45

Reporter

dlescos

Assigned To

alostale

Priority

high

Severity

major

Reproducibility

always

Status

closed

Resolution

fixed

Platform

OS Version

Openbravo Appliance 14.04

Product Version

3.0PR18Q3.5

Target Version

Fixed in Version

3.0PR19Q4

Merge Request Status

Review Assigned To

caristu

OBNetwork customer

Web browser

Modules

User Interface Application

Support ticket

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

Summary

0041401: Security Issue - Path Traversal with Attachments

Description

Attachments are vulnerable to path traversal attack by modifiying the inpKey parameter while the file is submitted, letting the Openbravo user access the server file system and replace files.

The issue lies in the
_org.openbravo.client.application.attachment.getAttachmentDirectoryForNewAttachment_ method which does not check the _inpKeyId_ value, used to create the subdirectories in attachments.

This value is later splitted in three-characters directories (_splitPath_ method, same class). This does not prevent the user from accessing large portions of the underlying file system.

Furthermore, informations on the attachments directory location on the server can be gained by providing a non existing path, which results in the user error message displaying the attachments directory absolute path.

This implies two immediate possibilities :
- if the attachments directory is contained in the main Openbravo directory, then files in _web_ and _web/js_ and _src/{build.xml, index.jsp,...}_ can be replaced.
- On UNIX, if the attachments directory is a subdirectory of _$HOME_, _.bashrc_ can be replaced.

Steps To Reproduce

The following has been tested on the last openbravo sourceforge appliance (3.0PR18Q3.5).

Open a transaction window that provides the attachments feature, let's say _"Sales Order"_.

## Collect informations
Click __"[ Add ]"__ in the Attachments section
Choose you __test_file.txt__ file with the __"Choose File"__ button.

Click __"Submit"__ and intercept the post request to __businessUtility/TabAttachments_FS.html__ and manually update the json parameter __paramValues.inpKey()__ with some impossible path like __../../../../../../../../../__ which will become __attachments/259/../../../../../../../../../__

Then forward the updated request. This should display _"Could not move report to final destination: /opt/OpenbravoERP/attachments/259/../../../../../../../../../test_file.txt"_
You have gained informations on the attachments path.

## Replace a file on the file system
Same as above but with a valid _inpKey_ path. For example on the test appliance:
../../webjs which will be expanded to attachments/259/../../web/js.

Proposed Solution

Set the _SaveAttachmentsOldWay_ to _Y_ is an immediate solution.

A possible patch would be to update the _org.openbravo.client.application.attachment.getAttachmentDirectoryForNewAttachment_ to check the whole path does not contain the ".." substring before _FileUtils.copyFileToDirectory_ is called.

Additional Information

Tags

No tags attached.

Relationships

depends on	backport	0041411	3.0PR19Q3	closed	alostale	Security Issue - Path Traversal with Attachments
depends on	backport	0041412	3.0PR19Q2.2	closed	alostale	Security Issue - Path Traversal with Attachments
depends on	backport	0041413	3.0PR19Q1.3	closed	alostale	Security Issue - Path Traversal with Attachments