hyp3rlinx reported that Openfire v3.10.2 suffers from a Remote File Inclusion (RFI) vulnerability.
In "available-plugins.jsp" there is no validation for plugin downloads, allowing arbitrary file downloads from anywhere on the internet.
On line 40: all that needs to be satisfied is that the paramater is not null.
If the above condition check returns true, the application downloads whatever file you give it.
1) Download arbitrary file, e.g.
Our RFI will then be downloaded to the "openfire\plugins" directory.