skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
January 26, 2021

GHSL-2020-066: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Apache OfBiz

Alvaro Munoz

Coordinated Disclosure Timeline

Summary

Apache OfBiz is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE)

Product

Apache Ofbiz

Tested Version

17.12.01

Details

Server-Side Template Injection on renderSortField

A Server-Side Template Injection (SSTI) was reported back in 2016 which was assigned CVE-2016-4462. The commited fix was two fold:

However, the second part of the fix was not effective, since the attacker can close the raw string context with a double quote and write a new attribute or even close the macro tag and write arbitrary FreeMarker code.

Unfortunately, the first part of the fix was removed at a later stage enabling the SSTI again and leaving OfBiz vulnerable to remote code execution (RCE).

The following link will execute the id command and print it along each sortable filed in the page:

https://localhost/ordermgr/control/FindRequest?foo=bar%22ajaxEnabled=false/%3E%24%7b%22freemarker%2etemplate%2eutility%2eExecute%22%3fnew%28%29%28%22id%22%29%7d%3CFOO

Note that sortable fields are used in multiple modules of the backend application and they require different permissions.

Impact

This issue leads to Remote Code Execution

CVE

Not assigned

Resources

fix commit

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-066 in any communication regarding this issue.