CVE-2015-7707 Admin Console Privilege Escalation Vulnerability

Description

hyp3rlinx reported that Openfire v3.10.2 suffers from a privilege escalation vulnerability.

Vulnerability Details:

  • No check is made when updating the user privileges, allowing regular user to become an admin.

  • Escalation can be done remotely too if user is logged in as no CSRF token exist.

Exploit code(s):
http://localhost:9090/user-edit-form.jsp?username=test02&save=true&name=test02&email=tim.durden+test02@surevine.com&isadmin=on

Full Details: https://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html

Environment

None

Activity

Show:
Tim Durden
January 4, 2016, 2:47 PM
Edited

Originally, this ticket covered 5 security issues raised in Openfire 3.10.2. I've split these out into their own respective tickets, as below:

Tim Durden
January 4, 2016, 2:59 PM

Further investigation suggests that while it is possible to update user permissions via a single request, this is only possible if an admin is already logged in to the Openfire admin console. However, combined with a XSS exploit, this could be used to escalate permissions unnoticed.

Dave Cridland
March 17, 2016, 6:40 PM

Pretty sure that this is just a particular exploit possible using CSRF attacks, rather than a vulnerability in itself. I'll try to see what we can do about this.

Simon Waters
December 16, 2016, 4:58 PM

In testing 4.1.beta a CSRF token is now provided, and tested for on /user-edit-form.jsp.

This ticket can be closed.

Fixed

Assignee

Dave Cridland

Reporter

wroot

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Major
Configure