Fixed
Details
Details
Assignee
Dave Cridland
Dave CridlandReporter
Tim Durden
Tim Durden(Deactivated)
Components
Fix versions
Affects versions
Priority
MajorCreated January 4, 2016 at 5:14 PM
Updated October 28, 2020 at 11:02 AM
Resolved December 21, 2016 at 11:37 AM
hyp3rlinx has reported several Persistent & Reflected XSS issues in Openfire v3.10.2 admin console. A couple of these requires the Client Control plugin to be installed.
Full details at: https://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html
Vulnerability Details:
1) Persistent XSS exists when creating an Group Chat Bookmark, XSS will execute each time victim accesses the 'Group Chat Bookmarks' web page vuln parameter 'groupchatName' XSS will be stored in 'ofbookmark' table in 'bookmarkName' column of the MySQL DB and will be under
boomarkType as 'group_chat'.
2) Persistent XSS exists when creating URL Bookmarks, vuln parameter 'urlName' XSS will be stored in 'ofbookmark' table in 'bookmarkName' column of the MySQL DB will be under column boomarkType as 'url'.
3) Reflected XSS entry point exists in search parameter, script tags fail but we can defeat using onMouseMove() JS function.
Exploit Code(s):
1) Persistent XSS:
http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?type=group_chat
Inject the following payload into the 'Group Chat Name' field, then click 'Create'.
2) Persistent XSS:
http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?type=url
Inject the following payload into the 'URL Name' field, then click 'Create'.
3) Reflected XSS:
4) Reflected XSS: