Multiple Reflected XSS Vulnerabilities in Admin Console

Description

The following parameters were identified (by @SimonWaters, Surevine - 5th Aug 2014) as being vulnerable to reflected XSS (Cross Site Scripting):

/dwr/exec/downloader.updatePluginsList.dwr [c0-id parameter]
/external-components-settings.jsp [secret parameter]
/external-components-settings.jsp [subdomain parameter]
/group-summary.jsp [search parameter]
/server2server-settings.jsp [remotePort parameter]
/setup/setup-admin-settings.jsp [email parameter]
/setup/setup-admin-settings.jsp [newPassword parameter]
/setup/setup-admin-settings.jsp [newPasswordConfirm parameter]
/setup/setup-admin-settings.jsp [password parameter]

This ticket was originally a collection of issues raised, but has been updated to focus only on reflected XSS (high priority) issues.

Environment

None

Attachments

Linked issues

is related to

OF-1250

Old DWR causes CSRF, XSS in Admin Console

Activity

Show:

Dave Cridland December 21, 2016 at 12:15 PM

Closing this as covers this.

Dave Cridland December 21, 2016 at 12:10 PM

Simon implies that the DWR case here is closed, but I think that's in error - we've done nothing that would close it.

Dave Cridland December 17, 2016 at 10:31 AM

I can't make head or tail of this DWR stuff. It's thoroughly buried in layers of Javascript.

Simon Waters December 16, 2016 at 11:27 AM
Edited

In 4.1beta testing suggests only these remains:

/group-summary.jsp
/setup/setup-admin-settings.jsp

Both also lack CSRF (probably not needed for "search" in group-summary), but means they may be more readily exploited by remote attackers.

Set-up issues are not obviously exploitable after set-up is complete and the openfire.xml file has "<setup>true</setup>"

Guus der Kinderen March 23, 2016 at 8:08 AM
Edited

Florian Nivette of Sysdream provided a report with additional XSS vulnerabilities. I've attached them to this issue.

Fixed

Details
Assignee
Dave Cridland
Reporter
Dave Cridland
Labels
cross_site_scriptingsecurityvulnerabilityxss
Components
Fix versions
4.1.0
Affects versions
3.9.3
Priority
Major

Created August 6, 2014 at 8:09 AM

Updated October 28, 2020 at 11:02 AM

Resolved December 21, 2016 at 12:15 PM

Multiple Reflected XSS Vulnerabilities in Admin Console

Description

Environment

Attachments

Linked issues

is related to

Activity

Dave Cridland December 21, 2016 at 12:15 PM

Dave Cridland December 21, 2016 at 12:10 PM

Dave Cridland December 17, 2016 at 10:31 AM

Simon Waters December 16, 2016 at 11:27 AMEdited

Guus der Kinderen March 23, 2016 at 8:08 AMEdited

DetailsAssigneeDave CridlandDave CridlandReporterDave CridlandDave CridlandLabelscross_site_scriptingsecurityvulnerabilityxssComponentsFix versions4.1.0Affects versions3.9.3PriorityMajor

Details

Assignee

Reporter

Labels

Components

Fix versions

Affects versions

Priority

Simon Waters December 16, 2016 at 11:27 AM
Edited

Guus der Kinderen March 23, 2016 at 8:08 AM
Edited

Details
Assignee
Dave Cridland
Reporter
Dave Cridland
Labels
cross_site_scriptingsecurityvulnerabilityxss
Components
Fix versions
4.1.0
Affects versions
3.9.3
Priority
Major