OFBiz › OFBiz - Commits

[ofbiz-framework] branch trunk updated: Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

[ofbiz-framework] branch trunk updated: Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

The following commit(s) were added to refs/heads/trunk by this push:
new 4bdfb54 Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)
4bdfb54 is described below

commit 4bdfb54ffb6e05215dd826ca2902c3e31420287a
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Tue May 19 15:56:02 2020 +0200

Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)

(OFBIZ-11716)

Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using
authentication they are vulnerable to unsafe deserialization.

thanks: Alvaro Munoz <[hidden email]> from the GitHub Security Lab team
---
.../main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java | 4 ++++
.../src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java | 2 +-
framework/webtools/webapp/webtools/WEB-INF/controller.xml | 3 ++-
3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java b/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
index d3ef6a3..913dc08 100644
--- a/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
+++ b/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
@@ -99,6 +99,10 @@ public class XMLRPCClientEngine extends GenericAsyncEngine {
Integer port = rpcPort + Start.getInstance().getConfig().portOffset;
url = url.replace(rpcPort.toString(), port.toString());
}
+ // Necessary for "service-xml-rpc-local-engine" test
+ if (serviceName.equals("testXmlRpcAdd")) {
+ url = url + "?USERNAME=admin&PASSWORD=ofbiz";
+ }
login = ServiceConfigUtil.getEngineParameter(engine, "login");
password = ServiceConfigUtil.getEngineParameter(engine, "password");
keyStoreComponent = ServiceConfigUtil.getEngineParameter(engine, "keyStoreComponent");
diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java b/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
index 5dd0c11..2e46f5c 100644
--- a/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
+++ b/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
@@ -38,7 +38,7 @@ public class XmlRpcTests extends AbstractXmlRpcTestCase {

public static final String MODULE = XmlRpcTests.class.getName();
public static final String resource = "ServiceErrorUiLabels";
- private static String url = "http://localhost:8080/webtools/control/xmlrpc";
+ private static String url = "http://localhost:8080/webtools/control/xmlrpc?USERNAME=admin&PASSWORD=ofbiz";

public XmlRpcTests(String name) {
super(name);
diff --git a/framework/webtools/webapp/webtools/WEB-INF/controller.xml b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
index 72eec1e..481638d 100644
--- a/framework/webtools/webapp/webtools/WEB-INF/controller.xml
+++ b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
@@ -98,13 +98,14 @@ under the License.
<response name="success" type="none"/>
</request-map>
<request-map uri="xmlrpc" track-serverhit="false" track-visit="false">
- <security https="false"/>
+ <security auth="true"/>
<event type="xmlrpc"/>
<response name="error" type="none"/>
<response name="success" type="none"/>
</request-map>

<request-map uri="ping">
+ <security auth="true"/>
<event type="service" invoke="ping"/>
<response name="error" type="view" value="ping"/>
<response name="success" type="view" value="ping"/>