This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new d708d9a Fixed: Apache OFBiz unsafe deserialization of XMLRPC
arguments (CVE-2020-9496)
d708d9a is described below
commit d708d9afcb3aaae61fc92f5b1b6f14b7374bba76
Author: Jacques Le Roux <[email protected]>
AuthorDate: Tue May 19 15:56:02 2020 +0200
Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments
(CVE-2020-9496)
(OFBIZ-11716)
Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not
using
authentication they are vulnerable to unsafe deserialization.
thanks: Alvaro Munoz <[email protected]> from the GitHub Security Lab
team
---
.../main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java | 4 ++++
.../src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java | 2 +-
framework/webtools/webapp/webtools/WEB-INF/controller.xml | 3 ++-
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git
a/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
b/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
index 95b3432..108abd1 100644
---
a/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
+++
b/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
@@ -98,6 +98,10 @@ public class XMLRPCClientEngine extends GenericAsyncEngine {
Integer port = rpcPort +
Start.getInstance().getConfig().portOffset;
url = url.replace(rpcPort.toString(), port.toString());
}
+ // Necessary for "service-xml-rpc-local-engine" test
+ if (serviceName.equals("testXmlRpcAdd")) {
+ url = url + "?USERNAME=admin&PASSWORD=ofbiz";
+ }
login = ServiceConfigUtil.getEngineParameter(engine, "login");
password = ServiceConfigUtil.getEngineParameter(engine,
"password");
keyStoreComponent = ServiceConfigUtil.getEngineParameter(engine,
"keyStoreComponent");
diff --git
a/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
b/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
index be08043..c38608b 100644
---
a/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
+++
b/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
@@ -38,7 +38,7 @@ public class XmlRpcTests extends AbstractXmlRpcTestCase {
public static final String module = XmlRpcTests.class.getName();
public static final String resource = "ServiceErrorUiLabels";
- private static String url =
"http://localhost:8080/webtools/control/xmlrpc";;
+ private static String url =
"http://localhost:8080/webtools/control/xmlrpc?USERNAME=admin&PASSWORD=ofbiz";;
public XmlRpcTests(String name) {
super(name);
diff --git a/framework/webtools/webapp/webtools/WEB-INF/controller.xml
b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
index 39201cc..363ee59 100644
--- a/framework/webtools/webapp/webtools/WEB-INF/controller.xml
+++ b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
@@ -55,13 +55,14 @@ under the License.
<response name="success" type="none"/>
</request-map>
<request-map uri="xmlrpc" track-serverhit="false" track-visit="false">
- <security https="false"/>
+ <security auth="true"/>
<event type="xmlrpc"/>
<response name="error" type="none"/>
<response name="success" type="none"/>
</request-map>
<request-map uri="ping">
+ <security auth="true"/>
<event type="service" invoke="ping"/>
<response name="error" type="view" value="ping"/>
<response name="success" type="view" value="ping"/>
