CVE-2015-7707 Admin Console Privilege Escalation Vulnerability

Originally, this ticket covered 5 security issues raised in Openfire 3.10.2. I've split these out into their own respective tickets, as below:

• OF-777: Openfire 3.10.2 Cross Site Request Forgery - https://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html

• OF-1019: Openfire 3.10.2 Cross Site Scripting - https://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html

• OF-941: Openfire 3.10.2 Privilege Escalation - https://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html

• OF-1020: Openfire 3.10.2 Remote File Inclusion - https://packetstormsecurity.com/files/133560/Openfire-3.10.2-Remote-File-Inclusion.html

• OF-1021: Openfire 3.10.2 Arbitrary File Upload - https://packetstormsecurity.com/files/133561/Openfire-3.10.2-Arbitrary-File-Upload.html

Further investigation suggests that while it is possible to update user permissions via a single request, this is only possible if an admin is already logged in to the Openfire admin console. However, combined with a XSS exploit, this could be used to escalate permissions unnoticed.

Pretty sure that this is just a particular exploit possible using CSRF attacks, rather than a vulnerability in itself. I'll try to see what we can do about this.

In testing 4.1.beta a CSRF token is now provided, and tested for on /user-edit-form.jsp.

This ticket can be closed.