Admin Cross Site Scripting (XSS) Vulnerabilities

Description

hyp3rlinx has reported several Persistent & Reflected XSS issues in Openfire v3.10.2 admin console. A couple of these requires the Client Control plugin to be installed.

Full details at: https://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html

Vulnerability Details:

1) Persistent XSS exists when creating an Group Chat Bookmark, XSS will execute each time victim accesses the 'Group Chat Bookmarks' web page vuln parameter 'groupchatName' XSS will be stored in 'ofbookmark' table in 'bookmarkName' column of the MySQL DB and will be under
boomarkType as 'group_chat'.

2) Persistent XSS exists when creating URL Bookmarks, vuln parameter 'urlName' XSS will be stored in 'ofbookmark' table in 'bookmarkName' column of the MySQL DB will be under column boomarkType as 'url'.

3) Reflected XSS entry point exists in search parameter, script tags fail but we can defeat using onMouseMove() JS function.

Exploit Code(s):

1) Persistent XSS:
http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?type=group_chat
Inject the following payload into the 'Group Chat Name' field, then click 'Create'.

2) Persistent XSS:
http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?type=url
Inject the following payload into the 'URL Name' field, then click 'Create'.

3) Reflected XSS:

4) Reflected XSS:

Environment

None

Activity

Show:
Simon Waters
December 16, 2016, 3:33 PM

Item 4 group-summary search parameter is still present in 4.1.beta

I was unable to locate the create-bookmark feature in clientcontrol.
I was unable to reproduce the issue described in exploit 3.

Other XSS issues found will be reported separately.

Dave Cridland
December 21, 2016, 11:37 AM
Fixed

Assignee

Dave Cridland

Reporter

Tim Durden

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Major
Configure