Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)

Vulnerability

Apache OFBiz versions before 18.12.17 contain a code injection vulnerability in the MacroMenuRenderer component. The issue arises from improper encoding of parameters, allowing an attacker to inject malicious template expressions. This is combined with a Cross-Site Request Forgery (CSRF) vector, meaning the attacker can trick an authenticated user into making a request that triggers the injection. The vulnerability is classified as CWE-94 (Code Injection) and CWE-352 (CSRF). [1][2]

Exploitation

An attacker can exploit this vulnerability by crafting a malicious request that, when processed by an authenticated OFBiz user (e.g., via a crafted link or form submission), causes the MacroMenuRenderer to evaluate attacker-controlled template code. No prior authentication is required for the attacker, but the victim must be logged into OFBiz. The attacker does not need network access to the OFBiz server directly; they can use social engineering to deliver the CSRF payload. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the OFBiz application. This can lead to full compromise of the OFBiz instance, including data theft, modification, or deletion, and potentially lateral movement within the network. The impact is high, as it combines code injection with CSRF to bypass authentication controls. [1][2]

Mitigation

The vulnerability is fixed in Apache OFBiz version 18.12.17, released on November 18, 2024. Users are strongly recommended to upgrade to this version or later. No workarounds are provided; upgrading is the only mitigation. Users should also follow the security best practices outlined in the OFBiz security documentation [1][3]. The fix involves enhancing parameter encoding in MacroMenuRenderer to prevent template injection [2].