Reflective Cross-Site Scripting vulnerability on setup test page

Description

Reported via security mailing list by Luke Arntson:

When submitting a request to one of the unauthenticated JSP pages of OpenFire, it is possible to inject arbitrary HTML that will reflect back to a user. An attacker can use this to steal session credentials, run malicious code on a client's browser, and many other harmful issues related to malicious HTML.

Instance:
http://localhost:9090/setup/setup-admin-settings_test.jsp
parameter: username

Steps to reproduce:
1. Load up an instance of OpenFire 4.0.x
2. Navigate to the following url in Firefox:
http://localhost:9090/setup/setup-admin-settings_test.jsp?username=%3Cinput%20onfocus=prompt(1)%20autofocus%3E&ldap=true
3. Observe a Javascript prompt is presented to the user

Remediation:
The setup-admin-settings_test.jsp page should sanitize all input variables, and ensure that the output is sanitized as well.

Environment

None

Activity

Show:
Daryl Herzmann
November 13, 2017, 4:06 PM

I wonder if the fix for helped with this issue...

Fixed

Assignee

Guus der Kinderen

Reporter

wroot