The Apache Foundation's OFBiz, an open-source Java-based ERP framework, addressed in May 2024 a critical security vulnerability (CVE-2024-32113) involving path traversal that could lead to remote command execution. Despite its lesser prevalence compared to commercial ERP systems, OFBiz handles sensitive business data, making its security crucial. The exploit involves manipulating URLs to gain unauthorized access and execute arbitrary code, and attackers have already started exploiting this vulnerability.
The vulnerability in OFBiz is a path traversal issue that can be exploited by appending a semicolon to a URL, followed by a restricted URL. Specifically, the exploit targets the /webtools/control/forgotPassword endpoint, which is publicly accessible and doesn't require authentication. Attackers can then append ;/ProgramExport to the URL, allowing arbitrary code execution via the "groovyProgram" parameter. The attack can be initiated using a POST request without a body, simply by including the payload in the URL parameters. An observed exploit uses the curl command to download a shell script from a remote server, while another variation involves the wget command.
The vulnerability was actively exploited, as seen from scans observed by researchers. These scans involved sending the exploit in both URL parameters and request bodies. The malware, possibly a variant of the Mirai botnet, was hosted on the IP 185.196.10.231, which had been involved in previous attacks.