As a part of the solution we implemented two levels of protection during file upload.
The first level will check the extension of the file that is getting uploaded.
We can configure the list of extensions that can be uploaded to Catalog in the ESAPI.properties file.
As this file is located in USM_HOME\view\conf (under ApprovedUploadExtensions property).
This layer will screen the unwanted file extensions.
In a second level we will actually validate the content that is getting uploaded into the system.
Even if an attacker changes the file extension to a valid value and try to upload some malicious content into the system,
we will prevent that using the concept of magic numbers.
Every file content type can be identified with the help of first few bytes which signifies the type of data being uploaded.
We introduced a new properties file called FileTypeSignatures.properties located at USM_HOME\view\webapps\usm\config folder.
This file holds the map between the invalid file extensions and their corresponding magic number values.
Before uploading a file into the Catalog, the system will validate the content using this data.
Please note that 'ESAPI.properties' and 'FileTypeSignatures.properties' were included recently.
These files contain default property values as defined by the Service Catalog system.
The 'FileTypeSignatures.properties' file should contain list of all the file extensions that has to be blocked by Catalog system.
So to allow .xlsx files:
- Added ',.xlsx,.docx' to 'HttpUtilities.ApprovedUploadExtensions' within %USM_HOME%\view\conf\ESAPI.properties
- Removed the following signature from %USM_HOME%\view\webapps\usm\config\FileTypeSignatures.properties
(as this was the signature used for the .xlsx I was testing with
and as per http://en.wikipedia.org/wiki/List_of_file_signatures the signature may be the same for zip/jar/xlsx): 504B0304
- Recycled Catalog service
And another thing to be checked(and repaired) is the following:
The format of the 'magic number' in the file FilyTypeSignatures.properties is not correct.
The file is located in USM_HOME\view\webapps\usm\config folder.
Change them to this (remove the spaces in them after each pair of digits):
Restart the Catalog service and it should work then:
1 Stop the CA Service Catalog services(Accounting and Catalog).
2 Empty/clear the %USM_HOME%\view\translets folder.
3 (re)move the %USM_HOME%\logs\*.log files.
4 Clear the browser-cache.
5 Start the CA Service Catalog services(Accounting and Catalog).
> Especially, steps 2 and 4 are important.