Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-12332

post-auth Remote Code Execution Vulnerability

    XMLWordPrintableJSON

Details

    • Bug Crush Event - 21/2/2015

    Description

      I found that the latest version of the OFBiz framework was affected by an XMLRPC Remote Code Execution Vulnerability.

      This vulnerability is caused by incomplete patch repair of cve-2020-9496.

      Successful exploit:

      Please refer to the attachment for payload details.This HTTP request will execute the command  `touch /tmp/success` file on the attacked server.

       

      Attachments

        1. payload_20211008.txt
          5 kB
          Jie Zhu
        2. LocallyAdaptedPayload.txt
          4 kB
          Jacques Le Roux
        3. payload_windows.txt
          4 kB
          Jie Zhu
        4. payload.txt
          4 kB
          Jie Zhu
        5. image-2021-10-03-11-43-31-228.png
          7 kB
          Jie Zhu
        6. image-2021-10-03-11-43-20-021.png
          292 kB
          Jie Zhu

        Issue Links

          is related to

          Sub-task - The sub-task of the issue OFBIZ-11716 Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)

          • Major - Major loss of function.
          • Closed

          Activity

            People

              jleroux Jacques Le Roux
              zhujie Jie Zhu
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: