TUCoPS :: HP Unsorted O :: va2239.htm

Openfire multiple vulnerabilities
CORE-2008-1128: Openfire multiple vulnerabilities
CORE-2008-1128: Openfire multiple vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/ 

             Openfire multiple vulnerabilities



1. *Advisory Information*

Title: Openfire multiple vulnerabilities
Advisory ID: CORE-2008-1128
Advisory URL:
http://www.coresecurity.com/content/openfire-multiple-vulnerabilities 
Date published: 2009-01-08
Date of last update: 2009-01-07
Vendors contacted: Jive Software
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Cross site scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 32935, 32937, 32938, 32939, 32940, 32943, 32944, 32945
CVE Name: N/A


3. *Vulnerability Description*

Openfire is a real time collaboration (RTC) server licensed under the
Open Source GPL. It uses the widely adopted open protocol for instant
messaging XMPP, also called Jabber. Multiple cross-site scripting
vulnerabilities have been found, which may lead to arbitrary remote code
execution on the server running the application due to unauthorized
upload of Java plugin code.


4. *Vulnerable packages*

   . Openfire 3.6.2


5. *Non-vulnerable packages*

   . Openfire 3.6.3


6. *Vendor Information, Solutions and Workarounds*

Openfire will release a fixed version through their community web site [1].


7. *Credits*

These vulnerabilities were discovered and researched by Federico Muttis,
from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.


8. *Technical Description / Proof of Concept Code*

Multiple cross-site scripting vulnerabilities have been found in
Openfire, which may lead to arbitrary remote code execution on the
server running Openfire server due to unauthorized upload of Java plugin
code.


8.1. *Reflected XSS Vulnerabilities*

Several cross site scripting (XSS) were detected that lead to cross site
request forgery (XSRF), which enable arbitrary remote code execution on
the server running the application. These vulnerabilities are network
exploitable but the victim must voluntarily interact with the attack
mechanism. The victim must be an authorized user to deploy the complete
attack.

We identified insufficient sanitization of several parameters in several
scripts. In the case of 'logviewer.jsp' (BID 32935), 'group-summary.jsp'
(BID 32937), 'user-properties.jsp' (BID 32938) and 'audit-policy.jsp'
(BID 32939) there is no sanitization at all. In 'log.jsp' (BID 32940)
there is a filter against '