[opencms-dev] CMS 11.02 - fix vulnerability assesment

Andrea Rota andrea.rota at gmail.com
Thu Sep 30 18:46:28 CEST 2021 

Hi,
Yes, it is clear to me that if the user is Admin, he can create executable
jsp files throughout the workspace.
It is not correct that I can upload a jsp in the profile with that uploader
file, the customer has done a check of his security..
I want to understand where is the point to insert a control or comment the
upload functionality on the profile picture.
Thanks in advance
Andrea


Il giorno gio 30 set 2021 alle ore 10:52 Kai Widmann <Widmann at mediaworx.de>
ha scritto:

> Hey Andrea,
>
> just out of curiosity: if the Workplace was accessed with Admin rights,
> why go through all that trouble to upload a stealth JSP as image and then
> change the type to JSP. An Admin can upload or create any JSP anywhere in
> the VFS using the explorer. So securing the image upload might be a good
> thing in general, but it wouldn’t protect you at all from an evil person
> that has Admin rights.
>
> Cheers
>
> Kai
>
> Am 30.09.2021 um 10:44 schrieb Andrea Rota <andrea.rota at gmail.com>:
>
> Hi guys,
> we have developed a website for our customer using OpenCMS 11.02.
> Before deploy in production our customer launched a vulnerability
> assessment on the  openCMS dev site and he found this vulnerability:
>  He accessed to  openCMS workplace with admin rights
>
>    - He uploaded a .jsp file by the upload widget placed into user
>    profile image
>    - Then he has gone to the /system/userimages/temp/ folder and he has
>    changed file type from test file to jsp file and he published the jsp
>    - At the end h accessed to the .jsp from online site and he can
>    execute linux commands from browser
>
> Now we ask you:
>
>    - If we can disable image upload widget in the user image profile area
>    (as quick win solution)
>    - Or if it is possible to control upload file types (if this component
>    is not used in the entire application) in order to reduce the types for
>    profile images to .jpg, .png or other file images but not to .jsp.
>
>
> Thanks in advance
>
>
> Andrea Rota
>
>
>  Here some screenshot:
>
>
>
>    - The upload widget for  user image profile
>
>
> <s1.jpg>
>
>
>
>
>    - The uploaded file with type changed
>
>
> <s2.jpg>
>
> [image: Graphical user interface, text, application, website Description
> automatically generated]
>
>
>
>
>
>    - The resulting online page
>
>
>
> <s3a.jpg>
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.opencms.org/pipermail/opencms-dev/attachments/20210930/d0d93cf3/attachment.htm>

More information about the opencms-dev mailing list