[Apache OFBiz] Poor handling of edge case return value allows for authentication bypass

We discussed this vulnerability during Episode 235 on 14 January 2024

Authentication Bypass in Apache’s OFBiz by including a the GET param requirePasswordChange=Y using this will simply bypass the need to authenticate due to some mishandling of errors.

The problem starts with the login function. The code is documented as returning a boolean representing whether or not the caller should generate its own content. In reality the normal code flow returns a somewhat boolean string, either “error” or “success” (during the episode I think I mentioned thinking it was a default or empty string, I dug into the code and found the “success” return a few more functions deep). This is a bit odd and is a bit of a codesmell on its own, but the function can also return a third value, so not even truly boolean as it can return “requirePasswordChange”.

The problem comes with the fact that the checkLogin function which calls login only falls into the error path when the return value is “error” and the “requirePasswordChange” return slips through. And continues to slip through the code, taking a couple different paths depending on whether the username and passwords are blank, but ultimately that unexpected return value means the login proceeds.

This bug was was in a sense found previously, though the focus of the prior disclosure was more about the remote code execution due to the insecure serialization that could be exploited through it. The patch was to just remove access to the vulnerability XML-RPC route rather than dealing with the authentication bypass.