Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0041412Openbravo ERPC. Securitypublic2019-07-18 17:512019-07-26 08:32
30Openbravo Appliance 14.04
User Interface Application
0041412: Security Issue - Path Traversal with Attachments
Attachments are vulnerable to path traversal attack by modifiying the inpKey parameter while the file is submitted, letting the Openbravo user access the server file system and replace files.

The issue lies in the
_org.openbravo.client.application.attachment.getAttachmentDirectoryForNewAttachment_ method which does not check the _inpKeyId_ value, used to create the subdirectories in attachments.

This value is later splitted in three-characters directories (_splitPath_ method, same class). This does not prevent the user from accessing large portions of the underlying file system.

Furthermore, informations on the attachments directory location on the server can be gained by providing a non existing path, which results in the user error message displaying the attachments directory absolute path.

This implies two immediate possibilities :
- if the attachments directory is contained in the main Openbravo directory, then files in _web_ and _web/js_ and _src/{build.xml, index.jsp,...}_ can be replaced.
- On UNIX, if the attachments directory is a subdirectory of _$HOME_, _.bashrc_ can be replaced.
The following has been tested on the last openbravo sourceforge appliance (3.0PR18Q3.5).

Open a transaction window that provides the attachments feature, let's say _"Sales Order"_.

## Collect informations
Click __"[ Add ]"__ in the Attachments section
Choose you __test_file.txt__ file with the __"Choose File"__ button.

Click __"Submit"__ and intercept the post request to __businessUtility/TabAttachments_FS.html__ and manually update the json parameter __paramValues.inpKey()__ with some impossible path like __../../../../../../../../../__ which will become __attachments/259/../../../../../../../../../__

Then forward the updated request. This should display _"Could not move report to final destination: /opt/OpenbravoERP/attachments/259/../../../../../../../../../test_file.txt"_
You have gained informations on the attachments path.

## Replace a file on the file system
Same as above but with a valid _inpKey_ path. For example on the test appliance:
../../webjs which will be expanded to attachments/259/../../web/js.
Set the _SaveAttachmentsOldWay_ to _Y_ is an immediate solution.

A possible patch would be to update the _org.openbravo.client.application.attachment.getAttachmentDirectoryForNewAttachment_ to check the whole path does not contain the ".." substring before _FileUtils.copyFileToDirectory_ is called.
No tags attached.
blocks defect 0041401 closed alostale Security Issue - Path Traversal with Attachments 
Issue History
2019-07-22 12:47alostaleTypedefect => backport
2019-07-22 12:47alostaleTarget Version => 3.0PR19Q2.2
2019-07-22 12:48alostaleReview Assigned To => caristu
2019-07-22 12:48alostaleAssigned Toplatform => alostale
2019-07-22 13:27hgbotCheckin
2019-07-22 13:27hgbotNote Added: 0113562
2019-07-22 13:27hgbotStatusscheduled => resolved
2019-07-22 13:27hgbotResolutionopen => fixed
2019-07-22 13:27hgbotFixed in SCM revision => [^]
2019-07-26 08:32caristuNote Added: 0113660
2019-07-26 08:32caristuStatusresolved => closed
2019-07-26 08:32caristuFixed in Version => 3.0PR19Q2.2

2019-07-22 13:27   
Repository: erp/backports/3.0PR19Q2.2
Changeset: 431ffa6714d01c34828a663a48a029063e8f7b81
Author: Asier Lostalé <asier.lostale <at>>
Date: Mon Jul 22 13:10:02 2019 +0200
URL: [^]

fixed issue 41412: incorrect attachment key management

  The changeset includes:
    * Checking key sent from customer is a valid ID
    * Check the record is readable when uploading files
    * Check there is an acutal record for a given key

M modules/org.openbravo.client.application/src/org/openbravo/client/application/attachment/
M src/org/openbravo/erpCommon/businessUtility/
2019-07-26 08:32   
Reviewed + tested OK.