Advisory: Openfire Server Multiple Vulnerabilities Advisory ID: AKADV2008-001 Release Date: 2008/11/07 Revision: 1.0 Last Modified: 2008/11/07 Date Reported: 2008/05/17 Author: Andreas Kurtz (mail at andreas-kurtz.de) Affected Software: Openfire Server <= 3.6.0a Remotely Exploitable: Yes Risk: Critical (x) High ( ) Medium ( ) Low ( ) Vendor URL: http://www.igniterealtime.org http://www.jivesoftware.com/ Vendor Status: No patch released yet. Patch development time: N/A Vulnerability description: -------------------------- The jabber server Openfire (<= version 3.6.0a) contains several serious vulnerabilities. Depending on the particular runtime environment these issues can potentially even be used by an attacker to execute code on operating system level. 1) Authentication bypass This vulnerability provides an attacker full access to all functions in the admin webinterface without providing any user credentials. The Tomcat filter which is responsible for authentication could be completely circumvented. 2) SQL injection It is possible to pass SQL statements to the backend database through a SQL injection vulnerability. Depending on the particular runtime environment and database permissions it is even possible to write files to disk and execute code on operating system level. 3) Multiple Cross-Site Scripting Permits arbitrary insertion of HTML- and JavaScript code in login.jsp. An attacker could also manipulate a parameter to specify a destination to which a user will be forwarded to after successful authentication. Technical details: ------------------ 1) Authentication bypass Authentication to the openfire admin interface is secured by a filter in the Tomcat application server (org.jivesoftware.admin.AuthCheckFilter). This filter guarantees that access to the admin interface is only granted to authenticated users. Otherwise they get redirected to a login page. A design error in Openfire enables access to internal functions without the need for admin user credentials. The deployment descriptor (web.xml) configures some exclude values for the AuthCheckFilter: AuthCheck org.jivesoftware.admin.AuthCheckFilter excludes login.jsp,index.jsp?logout=true,setup/index.jsp, setup/setup-,.gif,.png,error-serverdown.jsp When a request URL contains one of these Exclude-Strings the auth check mechanism is totally circumvented. This was considered necessary for the initial setup process or the presence plugin. Following POC demonstrates how an attacker could access internal functions by manipulating the URL providing one of these excludes(/setup/setup-/../../): http://www.foo.bar:9090/setup/setup-/../../log.jsp?log=info&mode=asc&lines= All 2) SQL injection The parameter "type" in sipark-log-summary.jsp is prone to SQL injection. Untrusted user data enters the application in sipark-log-summary.jsp (line 163): String type = ParamUtils.getParameter(request, "type"); The function getCalls() in org.jivesoftware.openfire.sip.calllog.CallLogDAO processes this user input (SQLCondition) and constructs a SQL statement: String sql = "SELECT * FROM sipPhoneLog"; sql = SQLCondition != null && !SQLCondition.equals("") ? sql + " WHERE " + SQLCondition : sql; sql += " ORDER BY datetime DESC"; That statement is executed in the method createScrollablePreparedStatement() in CallLogDAO (line 411): return con.prepareStatement(sql); In that case there is a SQL injection vulnerability present even though prepared statemens are used. This happens because the string sql is dynamically concatenated *before* it is passed to the prepared statement object. 3) Cross-Site Scripting The parameter "url" in login.jsp was vulnerable to Cross-Site Scripting (XSS). This vulnerability is the only one which was fixed within the last 6 months. http://www.foo.bar:9090/login.jsp?url="/>