This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new d955b03 Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496) d955b03 is described below commit d955b03fdc226d600d81d19d273e773f84b5c000 Author: Jacques Le Roux <[hidden email]> AuthorDate: Tue May 19 15:56:02 2020 +0200 Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496) (OFBIZ-11716) Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization. thanks: Alvaro Munoz <[hidden email]> from the GitHub Security Lab team --- .../main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java | 4 ++++ .../src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java | 2 +- framework/webtools/webapp/webtools/WEB-INF/controller.xml | 3 ++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java b/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java index 95b3432..108abd1 100644 --- a/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java +++ b/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java @@ -98,6 +98,10 @@ public class XMLRPCClientEngine extends GenericAsyncEngine { Integer port = rpcPort + Start.getInstance().getConfig().portOffset; url = url.replace(rpcPort.toString(), port.toString()); } + // Necessary for "service-xml-rpc-local-engine" test + if (serviceName.equals("testXmlRpcAdd")) { + url = url + "?USERNAME=admin&PASSWORD=ofbiz"; + } login = ServiceConfigUtil.getEngineParameter(engine, "login"); password = ServiceConfigUtil.getEngineParameter(engine, "password"); keyStoreComponent = ServiceConfigUtil.getEngineParameter(engine, "keyStoreComponent"); diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java b/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java index be08043..c38608b 100644 --- a/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java +++ b/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java @@ -38,7 +38,7 @@ public class XmlRpcTests extends AbstractXmlRpcTestCase { public static final String module = XmlRpcTests.class.getName(); public static final String resource = "ServiceErrorUiLabels"; - private static String url = "http://localhost:8080/webtools/control/xmlrpc"; + private static String url = "http://localhost:8080/webtools/control/xmlrpc?USERNAME=admin&PASSWORD=ofbiz"; public XmlRpcTests(String name) { super(name); diff --git a/framework/webtools/webapp/webtools/WEB-INF/controller.xml b/framework/webtools/webapp/webtools/WEB-INF/controller.xml index eaec92b..7a61f6d 100644 --- a/framework/webtools/webapp/webtools/WEB-INF/controller.xml +++ b/framework/webtools/webapp/webtools/WEB-INF/controller.xml @@ -55,13 +55,14 @@ under the License. <response name="success" type="none"/> </request-map> <request-map uri="xmlrpc" track-serverhit="false" track-visit="false"> - <security https="false"/> + <security auth="true"/> <event type="xmlrpc"/> <response name="error" type="none"/> <response name="success" type="none"/> </request-map> <request-map uri="ping"> + <security auth="true"/> <event type="service" invoke="ping"/> <response name="error" type="view" value="ping"/> <response name="success" type="view" value="ping"/> |
Free forum by Nabble | Edit this page |