Openfire 3.8.2 server new admin password/add new admin exploit

http://1337day.com/exploits/21338

Thanks for the report. Have filed this as OF-705. But without any actual code sample not much can be done. IgniteRealtime is no a commercial company and we have no spare “gold”.

the only way i can see it getting the username/credentials from an admin user would be to visit a pwned page that exploits your browser into giving up stored cookie with and active session. that would make it browser specific exploit, not universal. and/or another possibility would be to exploit the HTTP bindings openfire uses… but that woudl require the server to be configured as such…

Hi guys,

I stumbled over this by chance and may be able to shed some light on it without spending “gold”.

They do not claim to be able to get at your credentials, but rather that they could (with some luck) change the admin credentials or even create new admin users with credentials set by them. This seems to be a CSRF attack.

More info in private mail.

Thanks for the info. I will pass this to developers (a few we have).

There are still security flaws in openfire admin web console. The general advise is to never leave you Admin session open while you browse other websites.

Login in, make your changes and log out

So this is not news (and I admit that guy found a lot more than me). I agree, that should be the advice for the time being.

Thanks,

Jan

FYI - cross-posting conversation re: CSRF here. XSS vulnerabilities have been addressed in a pending pull request.