Multiple Reflected XSS Vulnerabilities in Admin Console
The following parameters were identified (by @SimonWaters, Surevine - 5th Aug 2014) as being vulnerable to reflected XSS (Cross Site Scripting):
/dwr/exec/downloader.updatePluginsList.dwr [c0-id parameter]
/external-components-settings.jsp [secret parameter]
/external-components-settings.jsp [subdomain parameter]
/group-summary.jsp [search parameter]
/server2server-settings.jsp [remotePort parameter]
/setup/setup-admin-settings.jsp [email parameter]
/setup/setup-admin-settings.jsp [newPassword parameter]
/setup/setup-admin-settings.jsp [newPasswordConfirm parameter]
/setup/setup-admin-settings.jsp [password parameter]
This ticket was originally a collection of issues raised, but has been updated to focus only on reflected XSS (high priority) issues.
Closing this as covers this.
Simon implies that the DWR case here is closed, but I think that's in error - we've done nothing that would close it.
In 4.1beta testing suggests only these remains:
Both also lack CSRF (probably not needed for "search" in group-summary), but means they may be more readily exploited by remote attackers.
Set-up issues are not obviously exploitable after set-up is complete and the openfire.xml file has "<setup>true</setup>"
Florian Nivette of Sysdream provided a report with additional XSS vulnerabilities. I've attached them to this issue.