Summary: | Security bug - RCE in BIRT viewer example | ||||||
---|---|---|---|---|---|---|---|
Product: | z_Archived | Reporter: | Stu xxn <stuxxn> | ||||
Component: | BIRT | Assignee: | Ramanuja Vinjamuri <rvinjamu> | ||||
Status: | RESOLVED FIXED | QA Contact: | |||||
Severity: | critical | ||||||
Priority: | P3 | CC: | alexander.becher, ddelisyd, john, leonardo.pinho, Lionel.wyl, wayne.beaton | ||||
Version: | unspecified | Keywords: | security | ||||
Target Milestone: | 4.8.0 | ||||||
Hardware: | PC | ||||||
OS: | All | ||||||
Whiteboard: | |||||||
Attachments: |
|
Description
Stu xxn
2018-08-22 03:02:42 EDT
Hey @Stu_xxn, I was not able to reproduce the issue. The only difference is that don't have the example report. I tried it with other reports and the RCE was not triggered. Can you clarify if the bug is only in that cases? (example report). Best Regards, (In reply to liga liga from comment #1) > Hey @Stu_xxn, > > I was not able to reproduce the issue. The only difference is that don't > have the example report. I tried it with other reports and the RCE was not > triggered. > Can you clarify if the bug is only in that cases? (example report). > > Best Regards, What exact setup do you use (BIRT Version, Tomcat Version etc). Can you show me your report. And what do you mean by "RCE was not triggered" ? Was the file written ? Do you call the JSP file. This issue has been addressed via commit : https://github.com/eclipse/birt/commit/e63581a582cf4c327deaee546c1d4186d1bdb202 Brief on the fix: In viewer/org.eclipse.birt.report.viewer/birt/WEB-INF/viewer.properties, one can specify a white and black list of allowed extensions #Restrictions on the __document parameter when used to specify the report document to be generated. These restrictions #are only applicable for actions like frameset, document, output which generate a report document. Please note that irrespective #of the settting here, when the __document param is expected and not specified, the system uses rptdocument as the extension for the #target report document. To maintain consistency, do not specify rptdocument in the black list and if white list is defined, add rptdocument to the list. #Comma separated white list of extensions for the report document produced by the system. reportdocument.allowed-extensions= #Comma separated black list of extensions for the report document produced by the system. The black list takes precedence over the white list. reportdocument.disallowed-extensions=jsp I've assigned CVE-2021-34427. I assume that we're done here. |