From user-return-54350-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org Fri Oct 5 14:52:32 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 178B0180649 for ; Fri, 5 Oct 2018 14:52:31 +0200 (CEST) Received: (qmail 70237 invoked by uid 500); 5 Oct 2018 12:52:30 -0000 Mailing-List: contact user-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@ofbiz.apache.org Delivered-To: mailing list user@ofbiz.apache.org Received: (qmail 70043 invoked by uid 99); 5 Oct 2018 12:52:29 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Oct 2018 12:52:29 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 5FCA8C2236; Fri, 5 Oct 2018 12:52:29 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.103 X-Spam-Level: X-Spam-Status: No, score=-0.103 tagged_above=-999 required=6.31 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id ktlIDt49hv76; Fri, 5 Oct 2018 12:52:28 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 6F6415F16F; Fri, 5 Oct 2018 12:52:28 +0000 (UTC) Received: by mail-wm1-f44.google.com with SMTP id y140-v6so3712515wmd.0; Fri, 05 Oct 2018 05:52:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=tvQgUBJKPwIF+E/lYkbgo0wguYLP14xtwBgl5hr4hn4=; b=vcZZzE7yrcVvo6hRiVVZg7ZhifP3s8bpmCDn20EPwMemPnk7MN5SXDxSxjI3brgFOl Mug7McyMS7cEuIXMEbzdA0GMAfz1jTMkEYp2/1T3qqlUTjWb048iyl+X2w0+agzCDQgu blIQIFNNUToJWqY25PI0kspLGK+PaEe4HOx7kNSoDuLly2/M7tUN5myQkUNZqGAwNN7t 7mRKubHIABA/O19ZE42YTHL1ck/U+fo9SaVktOzBHzgWZ+w1WYcDXsMTiWlUdxRsoeb6 wqFdqUu2yPjPhIrI+W/wOmtktXxNRIDMp7zrkJ9sdKLxvmx2gahKcfDc3O1hBrkHDq6c RfaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=tvQgUBJKPwIF+E/lYkbgo0wguYLP14xtwBgl5hr4hn4=; b=fyy760jJ0jnv26wYFOgEmTAw+DVg6UGLZOwScmQqu6TCguCn7UMXPy2c4rw0dLheN6 AH8qJzjgiWkNLq1YNA+vhFCrejxtxYbmaCxZByZRAbA/LQP71wb2Nt2dkoAUNZSlQ53T 9RXTIQVrBs8PYOatChB3rbhH+XHMDv/XF6oEg2a11mVOfEqAC8Ork8PiiJdHNYgimYkU 1ShHEQ5HKbhoCH7skxu5JJ+0LGob1X48Wto2/gAtYurocam3Nig6bG2I2KVLRgnjGsZh GTMnY3XuyMi3aeTPMMbBwGGQvXCM9DNzcdmSYxtOyKNhq5rARAOa9at+jWd0tfcUfPO7 Pc8w== X-Gm-Message-State: ABuFfoj2kKKUFsX6fOO0sXvWczLFTMxuFwEt5lTM1KBaKW3VcQ0o4LZu LtzkZMUY9Tv3YbXh8z36Lh4= X-Google-Smtp-Source: ACcGV60QMglSo2rfzVxjnghXQAQQoplw/TZc9f9Gy/gHOQDMSUofTcmylyHP17X/YEpiuJHUAQ+mQA== X-Received: by 2002:a1c:91cd:: with SMTP id t196-v6mr7354745wmd.63.1538743947146; Fri, 05 Oct 2018 05:52:27 -0700 (PDT) Received: from [10.100.245.201] ([94.203.183.179]) by smtp.gmail.com with ESMTPSA id o201-v6sm2198668wmg.16.2018.10.05.05.52.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Oct 2018 05:52:26 -0700 (PDT) From: Taher Alkhateeb X-Google-Original-From: Taher Alkhateeb To: user@ofbiz.apache.org, dev@ofbiz.apache.org, security@ofbiz.apache.org, security@apache.org, announce@apache.org, oss-security@lists.openwall.com, jamesp@mindpointgroup.com Subject: [SECURITY] CVE-2011-3600 Apache OFBiz XML-RPC XXE Vulnerability Message-ID: Date: Fri, 5 Oct 2018 15:52:23 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 16.11.01 to 16.11.04 Description: The OFBiz XML-RPC event handler (org.apache.ofbiz.webapp.event.XmlRpcEventHandler.java) acts as a wrapper for any OFBiz service that provides XML-RPC web services via the /webtools/control/xmlrpc endpoint. This endpoint is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. Mitigation: Upgrade to 16.11.05 or manually apply the following commits on branch 16 r1833724 r1833708 r1836141 Example: # Payload to find an exposed port     ping # Payload to display file contents ]>     &disclose; Credit: James Parfet References: http://ofbiz.apache.org/download.html#vulnerabilities