[opencms-dev] CMS 11.02 - fix vulnerability assesment
Kai Widmann
Widmann at mediaworx.de
Thu Sep 30 10:52:08 CEST 2021
Hey Andrea,
just out of curiosity: if the Workplace was accessed with Admin rights, why go through all that trouble to upload a stealth JSP as image and then change the type to JSP. An Admin can upload or create any JSP anywhere in the VFS using the explorer. So securing the image upload might be a good thing in general, but it wouldn’t protect you at all from an evil person that has Admin rights.
Cheers
Kai
Am 30.09.2021 um 10:44 schrieb Andrea Rota <andrea.rota at gmail.com<mailto:andrea.rota at gmail.com>>:
Hi guys,
we have developed a website for our customer using OpenCMS 11.02.
Before deploy in production our customer launched a vulnerability assessment on the openCMS dev site and he found this vulnerability:
He accessed to openCMS workplace with admin rights
* He uploaded a .jsp file by the upload widget placed into user profile image
* Then he has gone to the /system/userimages/temp/ folder and he has changed file type from test file to jsp file and he published the jsp
* At the end h accessed to the .jsp from online site and he can execute linux commands from browser
Now we ask you:
* If we can disable image upload widget in the user image profile area (as quick win solution)
* Or if it is possible to control upload file types (if this component is not used in the entire application) in order to reduce the types for profile images to .jpg, .png or other file images but not to .jsp.
Thanks in advance
Andrea Rota
Here some screenshot:
* The upload widget for user image profile
<s1.jpg>
* The uploaded file with type changed
<s2.jpg>
[Graphical user interface, text, application, website Description automatically generated]
* The resulting online page
<s3a.jpg>
_______________________________________________
This mail is sent to you from the opencms-dev mailing list
To change your list options, or to unsubscribe from the list, please visit
https://lists.opencms.org/mailman/listinfo/opencms-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.opencms.org/pipermail/opencms-dev/attachments/20210930/1eee96bf/attachment.htm>
More information about the opencms-dev
mailing list