Admin console (XSS) vulnerability lets attacker change admin password or create new admin

Description

From http://1337day.com/exploits/21338:

This expoit use multiple vulnerabilites in Openfire.
Openfire admin must visit exploit link.
Attacker can create new admin or change admin password.

But there is no real exploit code example except of the paid one.

Environment

None

Activity

Show:
Daryl Herzmann
April 30, 2014, 8:07 PM

cloned for the CSRF work

Daryl Herzmann
April 30, 2014, 5:43 PM

Moving unfixed 3.9.2 issues to 3.9.3 for consideration.

Tom Evans
April 17, 2014, 5:04 PM

This issue is partially resolved (XSS vulnerabilities) with the merge of pull request #1 into master.

A fix for the CSRF vulnerabilities is still pending.

Tom Evans
April 16, 2014, 7:21 PM

FYI related to WIP on admin console CSRF vulnerabilities: http://community.igniterealtime.org/message/238263

Tom Evans
April 16, 2014, 4:40 PM

Yes, the pending pull request addresses part of the documented vulnerability (XSS). I have reviewed it, and will merge it into the master before the 3.9.2 release is shipped.

Fixed

Assignee

Tom Evans

Reporter

wroot

Labels