Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0041401
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] C. Securitymajoralways2019-07-18 17:512019-08-22 14:45
ReporterdlescosView Statuspublic 
Assigned Toalostale 
PriorityhighResolutionfixedFixed in Version3.0PR19Q4
StatusclosedFix in branchFixed in SCM revision922ad4794b2f
ProjectionnoneETAnoneTarget Version
OSLinux 64 bitDatabasePostgreSQLJava version7.x
OS VersionOpenbravo Appliance 14.04Database version9.3.xAnt version1.9.x
Product Version3.0PR18Q3.5SCM revision 
Review Assigned Tocaristu
Web browser
ModulesUser Interface Application
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0041401: Security Issue - Path Traversal with Attachments

DescriptionAttachments are vulnerable to path traversal attack by modifiying the inpKey parameter while the file is submitted, letting the Openbravo user access the server file system and replace files.

The issue lies in the
_org.openbravo.client.application.attachment.getAttachmentDirectoryForNewAttachment_ method which does not check the _inpKeyId_ value, used to create the subdirectories in attachments.

This value is later splitted in three-characters directories (_splitPath_ method, same class). This does not prevent the user from accessing large portions of the underlying file system.

Furthermore, informations on the attachments directory location on the server can be gained by providing a non existing path, which results in the user error message displaying the attachments directory absolute path.

This implies two immediate possibilities :
- if the attachments directory is contained in the main Openbravo directory, then files in _web_ and _web/js_ and _src/{build.xml, index.jsp,...}_ can be replaced.
- On UNIX, if the attachments directory is a subdirectory of _$HOME_, _.bashrc_ can be replaced.
Steps To ReproduceThe following has been tested on the last openbravo sourceforge appliance (3.0PR18Q3.5).

Open a transaction window that provides the attachments feature, let's say _"Sales Order"_.

## Collect informations
Click __"[ Add ]"__ in the Attachments section
Choose you __test_file.txt__ file with the __"Choose File"__ button.

Click __"Submit"__ and intercept the post request to __businessUtility/TabAttachments_FS.html__ and manually update the json parameter __paramValues.inpKey()__ with some impossible path like __../../../../../../../../../__ which will become __attachments/259/../../../../../../../../../__

Then forward the updated request. This should display _"Could not move report to final destination: /opt/OpenbravoERP/attachments/259/../../../../../../../../../test_file.txt"_
You have gained informations on the attachments path.

## Replace a file on the file system
Same as above but with a valid _inpKey_ path. For example on the test appliance:
../../webjs which will be expanded to attachments/259/../../web/js.
Proposed SolutionSet the _SaveAttachmentsOldWay_ to _Y_ is an immediate solution.

A possible patch would be to update the _org.openbravo.client.application.attachment.getAttachmentDirectoryForNewAttachment_ to check the whole path does not contain the ".." substring before _FileUtils.copyFileToDirectory_ is called.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
depends on backport 00414113.0PR19Q3 closedalostale Security Issue - Path Traversal with Attachments 
depends on backport 00414123.0PR19Q2.2 closedalostale Security Issue - Path Traversal with Attachments 
depends on backport 00414133.0PR19Q1.3 closedalostale Security Issue - Path Traversal with Attachments 

-  Notes
(0113560)
hgbot (developer)
2019-07-22 13:10

Repository: erp/devel/pi
Changeset: 922ad4794b2f9930dfa8ca3c0d9076555c2ea3e2
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Mon Jul 22 13:10:02 2019 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/922ad4794b2f9930dfa8ca3c0d9076555c2ea3e2 [^]

fixed issue 41401: incorrect attachment key management

  The changeset includes:
    * Checking key sent from customer is a valid ID
    * Check the record is readable when uploading files
    * Check there is an acutal record for a given key

---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/attachment/AttachImplementationManager.java
M src/org/openbravo/erpCommon/businessUtility/TabAttachments.java
---
(0113658)
caristu (developer)
2019-07-26 08:30

Reviewed + tested OK.
(0113668)
hgbot (developer)
2019-07-26 09:40

Repository: erp/devel/pi
Changeset: f12cfbd48d9c4f755762b792a9481ef217a00dea
Author: Carlos Aristu <carlos.aristu <at> openbravo.com>
Date: Fri Jul 26 09:40:04 2019 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/f12cfbd48d9c4f755762b792a9481ef217a00dea [^]

related to issue 41401: fix typo

---
M src/org/openbravo/erpCommon/businessUtility/TabAttachments.java
---
(0114170)
hudsonbot (developer)
2019-08-22 14:44

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/ad3efd3bd07c [^]
Maturity status: Test
(0114178)
hudsonbot (developer)
2019-08-22 14:45

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/ad3efd3bd07c [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2019-07-18 17:51 dlescos New Issue
2019-07-18 17:51 dlescos Assigned To => platform
2019-07-18 17:51 dlescos Modules => User Interface Application
2019-07-18 17:51 dlescos Triggers an Emergency Pack => No
2019-07-22 12:47 alostale Status new => scheduled
2019-07-22 12:48 alostale Review Assigned To => caristu
2019-07-22 12:48 alostale Assigned To platform => alostale
2019-07-22 13:10 hgbot Checkin
2019-07-22 13:10 hgbot Note Added: 0113560
2019-07-22 13:10 hgbot Status scheduled => resolved
2019-07-22 13:10 hgbot Resolution open => fixed
2019-07-22 13:10 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/922ad4794b2f9930dfa8ca3c0d9076555c2ea3e2 [^]
2019-07-26 08:30 caristu Note Added: 0113658
2019-07-26 08:30 caristu Status resolved => closed
2019-07-26 08:30 caristu Fixed in Version => 3.0PR19Q4
2019-07-26 09:40 hgbot Checkin
2019-07-26 09:40 hgbot Note Added: 0113668
2019-08-22 14:44 hudsonbot Checkin
2019-08-22 14:44 hudsonbot Note Added: 0114170
2019-08-22 14:45 hudsonbot Checkin
2019-08-22 14:45 hudsonbot Note Added: 0114178


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker