Coordinated Disclosure Timeline
- 04/13/2020: Report sent to vendor.
- 04/23/2020: OfBiz maintainer acknowledges the issue.
- 04/23/2020: As per Apache policy, no CVE will be issued for post-authentication vulnerabilities no matter if they are privilege escalations or XSS issues (including this one that can be triggered via XSS reported in GHSL-2020-068)
- 01/10/2021: Addressed in 17.12.05
Summary
Apache OfBiz is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE)
Product
Apache Ofbiz
Tested Version
17.12.01
Details
Server-Side Template Injection on renderLookupField
Untrusted data flows from request.getParameter("_LAST_VIEW_NAME_")
to a FreeMarker macro call definition. An attacker with privileges to render any page containing a lookup field will be able to execute arbitrary system commands by sending a payload such as:
https://localhost:8443/ordermgr/control/FindQuote?_LAST_VIEW_NAME_=%22%2F%3E%24%7B%22freemarker.template.utility.Execute%22%3Fnew%28%29%28%22id%22%29%7D%3CFOO
Note that lookup fields are used in multiple modules of the backend application and they require different permissions.
Impact
This issue leads to Remote Code Execution
CVE
Not assigned
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com
, please include the GHSL-2020-067
in any communication regarding this issue.