Multiple Reflected XSS Vulnerabilities in Admin Console

Description

The following parameters were identified (by @SimonWaters, Surevine - 5th Aug 2014) as being vulnerable to reflected XSS (Cross Site Scripting):

  • /dwr/exec/downloader.updatePluginsList.dwr [c0-id parameter]

  • /external-components-settings.jsp [secret parameter]

  • /external-components-settings.jsp [subdomain parameter]

  • /group-summary.jsp [search parameter]

  • /server2server-settings.jsp [remotePort parameter]

  • /setup/setup-admin-settings.jsp [email parameter]

  • /setup/setup-admin-settings.jsp [newPassword parameter]

  • /setup/setup-admin-settings.jsp [newPasswordConfirm parameter]

  • /setup/setup-admin-settings.jsp [password parameter]

This ticket was originally a collection of issues raised, but has been updated to focus only on reflected XSS (high priority) issues.

Environment

None

Activity

Show:
Dave Cridland
December 21, 2016, 12:15 PM

Closing this as covers this.

Dave Cridland
December 21, 2016, 12:10 PM

Simon implies that the DWR case here is closed, but I think that's in error - we've done nothing that would close it.

Dave Cridland
December 17, 2016, 10:31 AM

I can't make head or tail of this DWR stuff. It's thoroughly buried in layers of Javascript.

Simon Waters
December 16, 2016, 11:27 AM
Edited

In 4.1beta testing suggests only these remains:

/group-summary.jsp
/setup/setup-admin-settings.jsp

Both also lack CSRF (probably not needed for "search" in group-summary), but means they may be more readily exploited by remote attackers.

Set-up issues are not obviously exploitable after set-up is complete and the openfire.xml file has "<setup>true</setup>"

Guus der Kinderen
March 23, 2016, 8:08 AM
Edited

Florian Nivette of Sysdream provided a report with additional XSS vulnerabilities. I've attached them to this issue.

Fixed
Your pinned fields
Click on the next to a field label to start pinning.

Assignee

Dave Cridland

Reporter

Dave Cridland