This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release18.12 by this push:
new d955b03 Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)
d955b03 is described below
commit d955b03fdc226d600d81d19d273e773f84b5c000
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Tue May 19 15:56:02 2020 +0200
Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)
(OFBIZ-11716)
Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using
authentication they are vulnerable to unsafe deserialization.
thanks: Alvaro Munoz <
[hidden email]> from the GitHub Security Lab team
---
.../main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java | 4 ++++
.../src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java | 2 +-
framework/webtools/webapp/webtools/WEB-INF/controller.xml | 3 ++-
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java b/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
index 95b3432..108abd1 100644
--- a/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
+++ b/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
@@ -98,6 +98,10 @@ public class XMLRPCClientEngine extends GenericAsyncEngine {
Integer port = rpcPort + Start.getInstance().getConfig().portOffset;
url = url.replace(rpcPort.toString(), port.toString());
}
+ // Necessary for "service-xml-rpc-local-engine" test
+ if (serviceName.equals("testXmlRpcAdd")) {
+ url = url + "?USERNAME=admin&PASSWORD=ofbiz";
+ }
login = ServiceConfigUtil.getEngineParameter(engine, "login");
password = ServiceConfigUtil.getEngineParameter(engine, "password");
keyStoreComponent = ServiceConfigUtil.getEngineParameter(engine, "keyStoreComponent");
diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java b/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
index be08043..c38608b 100644
--- a/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
+++ b/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
@@ -38,7 +38,7 @@ public class XmlRpcTests extends AbstractXmlRpcTestCase {
public static final String module = XmlRpcTests.class.getName();
public static final String resource = "ServiceErrorUiLabels";
- private static String url = "
http://localhost:8080/webtools/control/xmlrpc";
+ private static String url = "
http://localhost:8080/webtools/control/xmlrpc?USERNAME=admin&PASSWORD=ofbiz";
public XmlRpcTests(String name) {
super(name);
diff --git a/framework/webtools/webapp/webtools/WEB-INF/controller.xml b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
index eaec92b..7a61f6d 100644
--- a/framework/webtools/webapp/webtools/WEB-INF/controller.xml
+++ b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
@@ -55,13 +55,14 @@ under the License.
<response name="success" type="none"/>
</request-map>
<request-map uri="xmlrpc" track-serverhit="false" track-visit="false">
- <security https="false"/>
+ <security auth="true"/>
<event type="xmlrpc"/>
<response name="error" type="none"/>
<response name="success" type="none"/>
</request-map>
<request-map uri="ping">
+ <security auth="true"/>
<event type="service" invoke="ping"/>
<response name="error" type="view" value="ping"/>
<response name="success" type="view" value="ping"/>
Locked
