Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

CVE-2015-7707 Admin Console Privilege Escalation Vulnerability

Description

hyp3rlinx reported that Openfire v3.10.2 suffers from a privilege escalation vulnerability.

Vulnerability Details:

  • No check is made when updating the user privileges, allowing regular user to become an admin.

  • Escalation can be done remotely too if user is logged in as no CSRF token exist.

Exploit code(s):
http://localhost:9090/user-edit-form.jsp?username=test02&save=true&name=test02&email=tim.durden+test02@surevine.com&isadmin=on

Full Details: https://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html

Environment

None

Activity

Show:

Simon Waters December 16, 2016 at 4:58 PM

In testing 4.1.beta a CSRF token is now provided, and tested for on /user-edit-form.jsp.

This ticket can be closed.

Dave Cridland March 17, 2016 at 6:40 PM

Pretty sure that this is just a particular exploit possible using CSRF attacks, rather than a vulnerability in itself. I'll try to see what we can do about this.

Tim Durden January 4, 2016 at 2:59 PM

Further investigation suggests that while it is possible to update user permissions via a single request, this is only possible if an admin is already logged in to the Openfire admin console. However, combined with a XSS exploit, this could be used to escalate permissions unnoticed.

Tim Durden January 4, 2016 at 2:47 PM
Edited

Originally, this ticket covered 5 security issues raised in Openfire 3.10.2. I've split these out into their own respective tickets, as below:

Fixed

Details

Assignee

Reporter

Labels

Components

Fix versions

Affects versions

Priority

Created September 15, 2015 at 6:06 PM
Updated October 28, 2020 at 11:02 AM
Resolved December 16, 2016 at 8:27 PM