hyp3rlinx reported that Openfire v3.10.2 suffers from a privilege escalation vulnerability.
Vulnerability Details:
No check is made when updating the user privileges, allowing regular user to become an admin.
Escalation can be done remotely too if user is logged in as no CSRF token exist.
Exploit code(s):
http://localhost:9090/user-edit-form.jsp?username=test02&save=true&name=test02&email=tim.durden+test02@surevine.com&isadmin=on
Full Details: https://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html
Originally, this ticket covered 5 security issues raised in Openfire 3.10.2. I've split these out into their own respective tickets, as below:
OF-777: Openfire 3.10.2 Cross Site Request Forgery - https://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html
OF-1019: Openfire 3.10.2 Cross Site Scripting - https://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html
OF-941: Openfire 3.10.2 Privilege Escalation - https://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html
OF-1020: Openfire 3.10.2 Remote File Inclusion - https://packetstormsecurity.com/files/133560/Openfire-3.10.2-Remote-File-Inclusion.html
OF-1021: Openfire 3.10.2 Arbitrary File Upload - https://packetstormsecurity.com/files/133561/Openfire-3.10.2-Arbitrary-File-Upload.html
Further investigation suggests that while it is possible to update user permissions via a single request, this is only possible if an admin is already logged in to the Openfire admin console. However, combined with a XSS exploit, this could be used to escalate permissions unnoticed.
Pretty sure that this is just a particular exploit possible using CSRF attacks, rather than a vulnerability in itself. I'll try to see what we can do about this.
In testing 4.1.beta a CSRF token is now provided, and tested for on /user-edit-form.jsp.
This ticket can be closed.