Workaround for AhsayOBS 6.x - 6.9.x.x vulnerability
Overview
The changelog for AhsayOBS 6.11 included several important security fixes. These vulnerabilities allow an unauthenticated remote attacker to extract a list of your customers, as well as any file from your server. All AhsayOBS versions from 6.0 through 6.9.4.2 inclusive appear to be affected by this issue. Version 5.x does not appear to be affected at this time.
If you are using any API client - either MyClient or another system - without the URL Rewriting feature, your AhsayOBS administrator password may also be at risk.
MyClient strongly recommends using one of the following workarounds to resolve this issue.
Option 1: Upgrade to AhsayOBS 6.11 or newer
The method recommended by Ahsay is to use the latest version of AhsayOBS. This issue is corrected in version 6.11. Alternatively, you may download and install the unofficial hotfix 6.9.4.4.
Users of previous AhsayOBS 6.x versions who are not willing or able to upgrade to the latest version should consider the alternative workarounds.
Option 2: Make minor changes to struts-config.xml
A preventative measure can be applied to close this vulnerability. This will have a minor cosmetic effect on your AhsayOBS Web Console.
- Open the file
AhsayOBS/webapps/obs/WEB-INF/struts-config.xml. - Find the lines concerning
com.ahsay.obs.www.GetDocument. - Remove or
<!-- comment -->the lines from<action>to</action>inclusive. - Repeat the above for
com.ahsay.obs.www.GetLogo. - Restart the OBS server process.
Option 3: Modify the URL-rewriting configuration
If you are already using URL Rewriting with MyClient on your AhsayOBS server, you can avoid the need to restart the AhsayOBS process by applying the mitigation using URL rewriting. This will have a minor cosmetic effect on your AhsayOBS Web Console.
In the file webapps/obs/WEB-INF/urlrewrite.xml, add the following lines within the <urlrewrite> section:
<rule>
<from>^.*(getDocument\.do)|(getLogo\.do).*$</from>
<set type="status">404</set>
<to>null</to>
</rule>