CVE-2011-3600

Vulnerability

The /webtools/control/xmlrpc endpoint in Apache OFBiz's XML-RPC event handler is vulnerable to External Entity Injection (XXE). An attacker can send a malicious XML-RPC request containing a DOCTYPE declaration with external entities. This affects OFBiz versions 16.11.01 to 16.11.04 inclusive [1][3]. The underlying issue originates from the XML-RPC library's SAX parser not disabling external entity processing [2].

Exploitation

To exploit, an attacker sends a crafted HTTP POST request to the /webtools/control/xmlrpc endpoint with a payload that includes an external entity referencing a local file (e.g., /etc/passwd), a network port (e.g., http://internal-host:22), or a file path. The server parses the XML and, if external entities are resolved, returns the content in the response or reveals information through error messages [1][3]. No authentication or special privileges are required; the endpoint is typically accessible without authentication.

Impact

Successful exploitation leads to disclosure of sensitive files from the server's filesystem, such as configuration files or credentials. Additionally, the vulnerability can be used to probe for open network ports behind the firewall (e.g., internal services) and to determine whether specific files exist on the system, based on differing error responses [1][3]. This results in a significant information disclosure risk that can aid further attacks.

Mitigation

Fixed versions for OFBiz are not explicitly listed in the references; however, the underlying XML-RPC library fix was introduced in version 3.1.3 [2]. Users should upgrade OFBiz to a version that incorporates the fix or apply appropriate patches to the XML-RPC handler. The Debian security tracker notes that a fix exists but does not specify a version [3]. If no official patch is available, a workaround is to disable the /webtools/control/xmlrpc endpoint or restrict network access to it. This CVE is not listed in the KEV catalog.