Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Admin console (XSS) vulnerability lets attacker change admin password or create new admin

Description

From http://1337day.com/exploits/21338:

This expoit use multiple vulnerabilites in Openfire.
Openfire admin must visit exploit link.
Attacker can create new admin or change admin password.

But there is no real exploit code example except of the paid one.

Environment

None

Activity

Show:

Daryl Herzmann April 30, 2014 at 8:07 PM

cloned for the CSRF work

Daryl Herzmann April 30, 2014 at 5:43 PM

Moving unfixed 3.9.2 issues to 3.9.3 for consideration.

Tom Evans April 17, 2014 at 5:04 PM

This issue is partially resolved (XSS vulnerabilities) with the merge of pull request #1 into master.

A fix for the CSRF vulnerabilities is still pending.

Tom Evans April 16, 2014 at 7:21 PM

FYI related to WIP on admin console CSRF vulnerabilities: http://community.igniterealtime.org/message/238263

Tom Evans April 16, 2014 at 4:40 PM

Yes, the pending pull request addresses part of the documented vulnerability (XSS). I have reviewed it, and will merge it into the master before the 3.9.2 release is shipped.

Fixed

Details

Assignee

Reporter

Labels

Components

Fix versions

Affects versions

Priority

Created October 10, 2013 at 5:52 PM
Updated April 30, 2014 at 8:07 PM
Resolved April 30, 2014 at 8:07 PM