Coordinated Disclosure Timeline
- 04/13/2020: Report sent to vendor.
- 04/23/2020: OfBiz maintainer acknowledges the issue.
- 04/23/2020: As per Apache policy, no CVE will be issued for post-authentication vulnerabilities no matter if they are privilege escalations or XSS issues (including this one that can be triggered via XSS reported in GHSL-2020-068)
- 01/10/2021: Addressed in 17.12.05
Apache OfBiz is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE)
Server-Side Template Injection on
linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
However, the second part of the fix was not effective, since the attacker can close the
raw string context with a double quote and write a new attribute or even close the macro tag and write arbitrary FreeMarker code.
Unfortunately, the first part of the fix was removed at a later stage enabling the SSTI again and leaving OfBiz vulnerable to remote code execution (RCE).
The following link will execute the
id command and print it along each sortable filed in the page:
Note that sortable fields are used in multiple modules of the backend application and they require different permissions.
This issue leads to
Remote Code Execution
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-066 in any communication regarding this issue.