Coordinated Disclosure Timeline

Summary

Apache OfBiz is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE)

Product

Apache Ofbiz

Tested Version

17.12.01

Details

Server-Side Template Injection on renderLookupField

Untrusted data flows from request.getParameter("_LAST_VIEW_NAME_") to a FreeMarker macro call definition. An attacker with privileges to render any page containing a lookup field will be able to execute arbitrary system commands by sending a payload such as:

https://localhost:8443/ordermgr/control/FindQuote?_LAST_VIEW_NAME_=%22%2F%3E%24%7B%22freemarker.template.utility.Execute%22%3Fnew%28%29%28%22id%22%29%7D%3CFOO

Note that lookup fields are used in multiple modules of the backend application and they require different permissions.

Impact

This issue leads to Remote Code Execution

CVE

Not assigned

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-067 in any communication regarding this issue.