CVE-2023–32315: Administration Console authentication bypass
Openfire is an open-source XMPP (Extensible Messaging and Presence Protocol) server that enables real-time communication through instant messaging (IM) and group chat. The Openfire server comes with an administrative console, which is a web-based interface used to manage and configure the server settings. The administrative console allows administrators to control various aspects of the Openfire server, such as user management, chat rooms, security settings, and plugins.
An important security issue affects a range of versions of Openfire, the cross-platform real-time collaboration server based on the XMPP protocol that is created by the Ignite Realtime community.
Impact:
Openfire’s administrative console (the Admin Console), a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.
Affected Versions:
This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0).
Exploitation:
Step 1: Navigate to the endpoint which opens the “Openfire admin console”
Step 2: Append the path: “/setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp” as shown in below screenshot.
Step 3: It has been observed that the openfire logfiles are accessible, which confirms that the instance of Openfire is affected by this vulnerability.
Please note that the different versions of Openfire will show the log files differently (As you can see in below screenshot)
Recon!!
Inorder to find the multiple endpoints where you can test this vulnerability or you can check if the target application is vulnerable or not, follow the below mentioned steps.
Step 1: Open the Shodan and search for http.title:”Openfire Admin Console”.
Step 2: It has been observed that multiple endpoints are shown in the Shodan which redirects to Openfire Admin console. You can test the exploit as shown above.
Mitigation
The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0).
However, if there is any dependency there are multiple ways to remediate the issue. You can check the solutions here: https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm
