Admin console (XSS) vulnerability lets attacker change admin password or create new admin

Description

This expoit use multiple vulnerabilites in Openfire.
Openfire admin must visit exploit link.
Attacker can create new admin or change admin password.

But there is no real exploit code example except of the paid one.

Environment

None

Acceptance Test - Entry

None

Activity

Show:

Tom Evans

April 16, 2014, 4:40 PM

Copy link to comment

Yes, the pending pull request addresses part of the documented vulnerability (XSS). I have reviewed it, and will merge it into the master before the 3.9.2 release is shipped.

Tom Evans

April 16, 2014, 7:21 PM

Copy link to comment

FYI related to WIP on admin console CSRF vulnerabilities: http://community.igniterealtime.org/message/238263

Tom Evans

April 17, 2014, 5:04 PM

Copy link to comment

This issue is partially resolved (XSS vulnerabilities) with the merge of pull request #1 into master.

A fix for the CSRF vulnerabilities is still pending.

Daryl Herzmann

April 30, 2014, 5:43 PM

Copy link to comment

Moving unfixed 3.9.2 issues to 3.9.3 for consideration.

Daryl Herzmann

April 30, 2014, 8:07 PM

Copy link to comment

cloned for the CSRF work

Assignee

Tom Evans

Reporter

wroot

Labels

xss

Expected Effort

None

Ignite Forum URL

None

Components

Admin Console

Fix versions

3.9.2

Affects versions

3.8.2

Priority

Major

Configure