Fixed: Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2…

…020-9496) (OFBIZ-11716) Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization. thanks: Alvaro Munoz <pwntester@github.com> from the GitHub Security Lab team
apache · May 19, 2020 · 4bdfb54 · 4bdfb54
1 parent 3b7e637
commit 4bdfb54
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java b/framework/service/src/main/java/org/apache/ofbiz/service/engine/XMLRPCClientEngine.java
@@ -99,6 +99,10 @@ private static Map<String, Object> serviceInvoker(ModelService modelService, Map
                 Integer port = rpcPort + Start.getInstance().getConfig().portOffset;
                 url = url.replace(rpcPort.toString(), port.toString());
             }
+            // Necessary for "service-xml-rpc-local-engine" test
+            if (serviceName.equals("testXmlRpcAdd")) {
+                url = url + "?USERNAME=admin&PASSWORD=ofbiz";
+            }
             login = ServiceConfigUtil.getEngineParameter(engine, "login");
             password = ServiceConfigUtil.getEngineParameter(engine, "password");
             keyStoreComponent = ServiceConfigUtil.getEngineParameter(engine, "keyStoreComponent");

diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java b/framework/service/src/main/java/org/apache/ofbiz/service/test/XmlRpcTests.java
@@ -38,7 +38,7 @@ public class XmlRpcTests extends AbstractXmlRpcTestCase {
 
     public static final String MODULE = XmlRpcTests.class.getName();
     public static final String resource = "ServiceErrorUiLabels";
-    private static String url = "http://localhost:8080/webtools/control/xmlrpc";
+    private static String url = "http://localhost:8080/webtools/control/xmlrpc?USERNAME=admin&PASSWORD=ofbiz";
 
     public XmlRpcTests(String name) {
         super(name);

diff --git a/framework/webtools/webapp/webtools/WEB-INF/controller.xml b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
@@ -98,13 +98,14 @@ under the License.
         <response name="success" type="none"/>
     </request-map>
     <request-map uri="xmlrpc" track-serverhit="false" track-visit="false">
-        <security https="false"/>
+        <security auth="true"/>
         <event type="xmlrpc"/>
         <response name="error" type="none"/>
         <response name="success" type="none"/>
     </request-map>
 
     <request-map uri="ping">
+        <security auth="true"/>
         <event type="service" invoke="ping"/>
         <response name="error" type="view" value="ping"/>
         <response name="success" type="view" value="ping"/>