-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Openfire multiple vulnerabilities 1. *Advisory Information* Title: Openfire multiple vulnerabilities Advisory ID: CORE-2008-1128 Advisory URL: http://www.coresecurity.com/content/openfire-multiple-vulnerabilities Date published: 2009-01-08 Date of last update: 2009-01-07 Vendors contacted: Jive Software Release mode: Coordinated release 2. *Vulnerability Information* Class: Cross site scripting (XSS) Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: 32935, 32937, 32938, 32939, 32940, 32943, 32944, 32945 CVE Name: N/A 3. *Vulnerability Description* Openfire is a real time collaboration (RTC) server licensed under the Open Source GPL. It uses the widely adopted open protocol for instant messaging XMPP, also called Jabber. Multiple cross-site scripting vulnerabilities have been found, which may lead to arbitrary remote code execution on the server running the application due to unauthorized upload of Java plugin code. 4. *Vulnerable packages* . Openfire 3.6.2 5. *Non-vulnerable packages* . Openfire 3.6.3 6. *Vendor Information, Solutions and Workarounds* Openfire will release a fixed version through their community web site [1]. 7. *Credits* These vulnerabilities were discovered and researched by Federico Muttis, from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies. 8. *Technical Description / Proof of Concept Code* Multiple cross-site scripting vulnerabilities have been found in Openfire, which may lead to arbitrary remote code execution on the server running Openfire server due to unauthorized upload of Java plugin code. 8.1. *Reflected XSS Vulnerabilities* Several cross site scripting (XSS) were detected that lead to cross site request forgery (XSRF), which enable arbitrary remote code execution on the server running the application. These vulnerabilities are network exploitable but the victim must voluntarily interact with the attack mechanism. The victim must be an authorized user to deploy the complete attack. We identified insufficient sanitization of several parameters in several scripts. In the case of 'logviewer.jsp' (BID 32935), 'group-summary.jsp' (BID 32937), 'user-properties.jsp' (BID 32938) and 'audit-policy.jsp' (BID 32939) there is no sanitization at all. In 'log.jsp' (BID 32940) there is a filter against '