|
Please find attached a detailed advisory of the vulnerability.
Alternatively, the advisory can also be found at:
http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt
Advisory: Openfire Server Multiple Vulnerabilities
Advisory ID: AKADV2008-001
Release Date: 2008/11/07
Revision: 1.0
Last Modified: 2008/11/07
Date Reported: 2008/05/17
Author: Andreas Kurtz (mail at andreas-kurtz.de)
Affected Software: Openfire Server <= 3.6.0a
Remotely Exploitable: Yes
Risk: Critical (x) High ( ) Medium ( ) Low ( )
Vendor URL: http://www.igniterealtime.org
http://www.jivesoftware.com/
Vendor Status: No patch released yet.
Patch development time: N/A
Vulnerability description:
--------------------------
The jabber server Openfire (<= version 3.6.0a) contains several serious
vulnerabilities. Depending on the particular runtime environment these
issues can potentially even be used by an attacker to execute code
on operating system level.
1) Authentication bypass
This vulnerability provides an attacker full access to all functions
in the admin webinterface without providing any user credentials.
The Tomcat filter which is responsible for authentication could be
completely circumvented.
2) SQL injection
It is possible to pass SQL statements to the backend database through
a SQL injection vulnerability. Depending on the particular
runtime environment and database permissions it is even possible to
write files to disk and execute code on operating system level.
3) Multiple Cross-Site Scripting
Permits arbitrary insertion of HTML- and JavaScript code in login.jsp.
An attacker could also manipulate a parameter to specify
a destination to which a user will be forwarded to after successful
authentication.
Technical details:
------------------
1) Authentication bypass
Authentication to the openfire admin interface is secured by a filter in
the Tomcat application server (org.jivesoftware.admin.AuthCheckFilter).
This filter guarantees that access to the admin interface is only granted
to authenticated users. Otherwise they get redirected to a login page.
A design error in Openfire enables access to internal functions
without the need for admin user credentials.
The deployment descriptor (web.xml) configures some exclude values
for the AuthCheckFilter: