Remove wildcard usage in AuthCheckFilter

Description

The implementation of org.jivesoftware.admin.AuthCheckFilter#testURLPassesExclude allows wildcard characters (*) to be used to match URLs to an auth-exclusion pattern. An auth-exclusion pattern that includes such a wildcard character is hard-coded in Openfire' xmppserver/src/main/webapp/WEB-INF/web.xml, in its 'AuthCheck' filter definition (note the setup/setup-* value):

<filter> <filter-name>AuthCheck</filter-name> <filter-class>org.jivesoftware.admin.AuthCheckFilter</filter-class> <init-param> <param-name>excludes</param-name> <param-value> login.jsp,index.jsp?logout=true,setup/index.jsp,setup/setup-*,.gif,.png,error-serverdown.jsp,loginToken.jsp </param-value> </init-param> </filter>

Openfire should not have wildcards in the auth-exclusions. Investigate if it is possible to replace the wildcard entry with multiple entries, for each resource that the wildcard would cover (as the resources are all in setup, it likely is a finite set of resources).

Test if Openfire's setup remains functional afterwards.

This change should go in branches main, 4.7 and 4.6 of the private temporary fork of Openfire that is used to address this vulnerability.

Environment

None

Activity

Show:

Daniel Jackson May 17, 2023 at 11:03 AM

Wildcard for setup pages has been removed and ready to merge in with the patches for 4.6, 4.7 and main.

Daniel Jackson May 10, 2023 at 12:28 PM

Pushed up a new branch on the private fork named ‘OF-2595-authcheck-wildcard’ which we can merge into main, 4.7 and 4.6 when approved/reviewed. Ensured all the jsp’s under the setup path are still permitted and removed the wildcard. Exploit fails and setup still works.

jspf’s and pages with the suffix ‘_test’ are not included in the excludes. Does this need to be different in the test-web.xml? (tests pass with it being identical currently).

Done

Details

Assignee

Reporter

Fix versions

Priority

Created May 9, 2023 at 2:33 PM
Updated May 17, 2023 at 11:03 AM
Resolved May 17, 2023 at 11:03 AM