[OFBIZ-12332] post-auth Remote Code Execution Vulnerability - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: Trunk
Fix Version/s: Release Branch 17.12, 18.12.01
Component/s: framework/webtools
Labels:
None

Sprint:
Bug Crush Event - 21/2/2015

Description

I found that the latest version of the OFBiz framework was affected by an XMLRPC Remote Code Execution Vulnerability.

This vulnerability is caused by incomplete patch repair of cve-2020-9496.

Successful exploit:

Please refer to the attachment for payload details.This HTTP request will execute the command `touch /tmp/success` file on the attacked server.

Attachments

payload.txt
03/Oct/21 06:45
4 kB
Jie Zhu
payload_windows.txt
05/Oct/21 17:16
4 kB
Jie Zhu
payload_20211008.txt
08/Oct/21 11:21
5 kB
Jie Zhu
LocallyAdaptedPayload.txt
07/Oct/21 07:53
4 kB
Jacques Le Roux
image-2021-10-03-11-43-31-228.png
03/Oct/21 06:43
7 kB
Jie Zhu
image-2021-10-03-11-43-20-021.png
03/Oct/21 06:43
292 kB
Jie Zhu

Issue Links

Add Link

is related to

OFBIZ-11716 Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)

Closed

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Jacques Le Roux

Reporter:: Jie Zhu

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 03/Oct/21 06:45

Updated:: 17/Oct/21 17:11

Resolved:: 10/Oct/21 10:18

Agile

Completed Sprint:: Bug Crush Event - 21/2/2015 ended 26/Feb/15

View on Board

post-auth Remote Code Execution Vulnerability

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Agile

Slack

Issue deployment