[opencms-dev] CMS 11.02 - fix vulnerability assesment

Andrea Rota andrea.rota at gmail.com
Thu Sep 30 10:44:21 CEST 2021 

Hi guys,

we have developed a website for our customer using OpenCMS 11.02.

Before deploy in production our customer launched a vulnerability
assessment on the  openCMS dev site and he found this vulnerability:

 He accessed to  openCMS workplace with admin rights

   - He uploaded a .jsp file by the upload widget placed into user profile
   image
   - Then he has gone to the /system/userimages/temp/ folder and he has
   changed file type from test file to jsp file and he published the jsp
   - At the end h accessed to the .jsp from online site and he can execute
   linux commands from browser

Now we ask you:

   - If we can disable image upload widget in the user image profile area
   (as quick win solution)
   - Or if it is possible to control upload file types (if this component
   is not used in the entire application) in order to reduce the types for
   profile images to .jpg, .png or other file images but not to .jsp.



Thanks in advance



Andrea Rota



 Here some screenshot:



   - The upload widget for  user image profile


[image: s1.jpg]




   - The uploaded file with type changed


[image: s2.jpg]

[image: Graphical user interface, text, application, website Description
automatically generated]





   - The resulting online page



[image: s3a.jpg]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.opencms.org/pipermail/opencms-dev/attachments/20210930/3f8044ae/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: s2.jpg
Type: image/jpeg
Size: 24548 bytes
Desc: not available
URL: <https://lists.opencms.org/pipermail/opencms-dev/attachments/20210930/3f8044ae/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: s1.jpg
Type: image/jpeg
Size: 34466 bytes
Desc: not available
URL: <https://lists.opencms.org/pipermail/opencms-dev/attachments/20210930/3f8044ae/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: s3a.jpg
Type: image/jpeg
Size: 114978 bytes
Desc: not available
URL: <https://lists.opencms.org/pipermail/opencms-dev/attachments/20210930/3f8044ae/attachment-0005.jpg>

More information about the opencms-dev mailing list