7.5 - GLSA-200904-01

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	Openfire: Multiple vulnerabilities

Informations
Name	GLSA-200904-01	First vendor Publication	2009-04-02
Vendor	Gentoo	Last vendor Modification	2009-04-02
Severity (Vendor)	Normal	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities were discovered in Openfire, the worst of which may allow remote execution of arbitrary code.

Background

Ignite Realtime Openfire is a fast real-time collaboration server.

Description

Two vulnerabilities have been reported by Federico Muttis, from CORE IMPACT's Exploit Writing Team:

* Multiple missing or incomplete input validations in several .jsps (CVE-2009-0496).

* Incorrect input validation of the "log" parameter in log.jsp (CVE-2009-0497).

Multiple vulnerabilities have been reported by Andreas Kurtz:

* Erroneous built-in exceptions to input validation in login.jsp (CVE-2008-6508).

* Unsanitized user input to the "type" parameter in sipark-log-summary.jsp used in SQL statement. (CVE-2008-6509)

* A Cross-Site-Scripting vulnerability due to unsanitized input to the "url" parameter. (CVE-2008-6510, CVE-2008-6511)

Impact

A remote attacker could execute arbitrary code on clients' systems by uploading a specially crafted plugin, bypassing authentication.
Additionally, an attacker could read arbitrary files on the server or execute arbitrary SQL statements. Depending on the server's configuration the attacker might also execute code on the server via an SQL injection.

Workaround

There is no known workaround at this time.

Resolution

All Openfire users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-im/openfire-3.6.3"

References

[ 1 ] CVE-2008-6508 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6508
[ 2 ] CVE-2008-6509 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6509
[ 3 ] CVE-2008-6510 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6510
[ 4 ] CVE-2008-6511 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6511
[ 5 ] CVE-2009-0496 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0496
[ 6 ] CVE-2009-0497 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0497

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200904-01.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-200904-01.xml

CWE : Common Weakness Enumeration

%	Id	Name
33 %	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
33 %	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)
17 %	CWE-89	Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
17 %	CWE-20	Improper Input Validation

CPE : Common Platform Enumeration

Type	Description	Count
Application	Ignite Realtime Openfire cpe:2.3:a:ignite_realtime:openfire:3.6.2:::::::*	1
Application	Igniterealtime Openfire cpe:2.3:a:igniterealtime:openfire:3.6.2:::::::* cpe:2.3:a:igniterealtime:openfire:3.6.0a:::::::* cpe:2.3:a:igniterealtime:openfire:3.6.0:::::::* cpe:2.3:a:igniterealtime:openfire:3.5.2:::::::* cpe:2.3:a:igniterealtime:openfire:3.5.1:::::::* cpe:2.3:a:igniterealtime:openfire:3.5.0:::::::* cpe:2.3:a:igniterealtime:openfire:3.4.5:::::::* cpe:2.3:a:igniterealtime:openfire:3.4.4:::::::* cpe:2.3:a:igniterealtime:openfire:3.4.3:::::::* cpe:2.3:a:igniterealtime:openfire:3.4.2:::::::* cpe:2.3:a:igniterealtime:openfire:3.4.1:::::::* cpe:2.3:a:igniterealtime:openfire:3.4.0:::::::* cpe:2.3:a:igniterealtime:openfire:3.3.3:::::::* cpe:2.3:a:igniterealtime:openfire:3.3.2:::::::* cpe:2.3:a:igniterealtime:openfire:3.3.0:::::::* cpe:2.3:a:igniterealtime:openfire:3.2.4:::::::* cpe:2.3:a:igniterealtime:openfire:3.2.3:::::::* cpe:2.3:a:igniterealtime:openfire:3.2.2:::::::* cpe:2.3:a:igniterealtime:openfire:3.2.1:::::::* cpe:2.3:a:igniterealtime:openfire:3.2.0:::::::* cpe:2.3:a:igniterealtime:openfire:3.1.1:::::::* cpe:2.3:a:igniterealtime:openfire:3.1.0:::::::* cpe:2.3:a:igniterealtime:openfire:3.0.1:::::::* cpe:2.3:a:igniterealtime:openfire:3.0.0:::::::* cpe:2.3:a:igniterealtime:openfire:2.6.2:::::::* cpe:2.3:a:igniterealtime:openfire:2.6.1:::::::* cpe:2.3:a:igniterealtime:openfire:2.6.0:::::::* cpe:2.3:a:igniterealtime:openfire::::::::	28

ExploitDB Exploits

id	Description
2012-06-28	Openfire <= 3.6.0a Admin Console Authentication Bypass

OpenVAS Exploits

Date	Description
2009-04-06	Name : Gentoo Security Advisory GLSA 200904-01 (openfire) File : nvt/glsa_200904_01.nasl
2009-03-26	Name : Openfire Multiple Vulnerabilities (Mar09) File : nvt/secpod_openfire_mult_vuln_mar09.nasl
2009-02-11	Name : Ignite Realtime OpenFire Multiple Vulnerabilities File : nvt/gb_openfire_mult_vuln.nasl
2009-01-26	Name : FreeBSD Ports: openfire File : nvt/freebsd_openfire1.nasl
2008-12-02	Name : Openfire 'AuthCheck Filter' Security Bypass Vulnerability File : nvt/secpod_openfire_secbypass_900401.nasl
2008-11-24	Name : FreeBSD Ports: openfire File : nvt/freebsd_openfire0.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
52903	Openfire login.jsp url Parameter Arbitrary Site Redirect
52902	Openfire Admin Console login.jsp url Parameter XSS
51912	Openfire SIP Plugin CallLogDAO sipark-log-summary.jsp type Parameter SQL Inje... Openfire SIP Plugin CallLogDAO contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'sipark-log-summary.jsp' script not properly sanitizing user-supplied input to the 'type' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
51426	Openfire log.jsp log Parameter Traversal Arbitrary File Access
51425	Openfire muc-room-edit-form.jsp Multiple Parameter XSS
51424	Openfire server-properties.jsp propName Parameter XSS Openfire contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'propName' parameter upon submission to the 'server-properties.jsp' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
51423	Openfire audit-policy.jsp Multiple Parameter XSS
51422	Openfire user-properties.jsp username Parameter XSS Openfire contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'username' parameter upon submission to the 'user-properties.jsp' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
51421	Openfire group-summary.jsp search Parameter XSS Openfire contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'search' parameter upon submission to the 'group-summary.jsp' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
51420	Openfire log.jsp log Parameter XSS Openfire contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'log' parameter upon submission to the 'log.jsp' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
51419	Openfire logviewer.jsp log Parameter XSS
49663	Openfire AuthCheck Filter URL Traversal Admin Authentication Bypass

Snort® IPS/IDS

Date	Description
2014-01-10	Jive Software Openfire muc-room-edit-form.jsp XSS attempt RuleID : 20868 - Revision : 8 - Type : SERVER-WEBAPP
2014-01-10	Jive Software Openfire server-properties.jsp XSS attempt RuleID : 20867 - Revision : 8 - Type : SERVER-WEBAPP
2014-01-10	Jive Software Openfire audit-policy.jsp XSS attempt RuleID : 20866 - Revision : 8 - Type : SERVER-WEBAPP
2014-01-10	Jive Software Openfire user-properties.jsp XSS attempt RuleID : 20865 - Revision : 8 - Type : SERVER-WEBAPP
2014-01-10	Jive Software Openfire group-summary.jsp XSS attempt RuleID : 20864 - Revision : 8 - Type : SERVER-WEBAPP
2014-01-10	Jive Software Openfire log.jsp XSS attempt RuleID : 20863 - Revision : 8 - Type : SERVER-WEBAPP
2014-01-10	Jive Software Openfire logviewer.jsp XSS attempt RuleID : 20862 - Revision : 8 - Type : SERVER-WEBAPP
2014-01-10	Jive Software Openfire Jabber Server injection attempt RuleID : 16513 - Revision : 4 - Type : SQL
2014-01-10	Jive Software Openfire Jabber Server SQL injection attempt RuleID : 16450 - Revision : 5 - Type : SQL
2014-01-10	Jive Software Openfire Jabber Server serverdown Authentication bypass attempt RuleID : 15156 - Revision : 7 - Type : PUA-OTHER
2014-01-10	Jive Software Openfire Jabber Server png Authentication bypass attempt RuleID : 15155 - Revision : 8 - Type : PUA-OTHER
2014-01-10	Jive Software Openfire Jabber Server gif Authentication bypass attempt RuleID : 15154 - Revision : 8 - Type : PUA-OTHER
2014-01-10	Jive Software Openfire Jabber Server setup Authentication bypass attempt RuleID : 15153 - Revision : 10 - Type : PUA-OTHER
2014-01-10	Jive Software Openfire Jabber Server setup-index Authentication bypass attempt RuleID : 15152 - Revision : 7 - Type : PUA-OTHER
2014-01-10	Jive Software Openfire Jabber Server logout Authentication bypass attempt RuleID : 15151 - Revision : 7 - Type : PUA-OTHER
2014-01-10	Jive Software Openfire Jabber Server login Authentication bypass attempt RuleID : 15150 - Revision : 7 - Type : PUA-OTHER

Nessus® Vulnerability Scanner

Date	Description
2009-04-03	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200904-01.nasl - Type : ACT_GATHER_INFO
2009-02-09	Name : The remote host contains an application that is affected by multiple vulnerab... File : openfire_3_6_3.nasl - Type : ACT_GATHER_INFO
2009-01-26	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_c3aba586ea7711dd9d1e000bcdc1757a.nasl - Type : ACT_GATHER_INFO
2008-11-21	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_937adf01b64a11dda55e00163e000016.nasl - Type : ACT_GATHER_INFO
2008-11-09	Name : The remote web server contains an application that is affected by an authenti... File : openfire_3_6_0a_auth_bypass.nasl - Type : ACT_ATTACK

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:36:27	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	6
CPE ID(s)	29
osvdb(s)	12
ExploitDB Exploit(s)	1
Openvas Exploit(s)	6
Snort® Rule(s)	16
Nessus® Exploit(s)	5

	Related
7.5	CVE-2008-6509
7.5	CVE-2008-6508
5.8	CVE-2008-6511
5	CVE-2009-0497
4.3	CVE-2009-0496
4.3	CVE-2008-6510
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 6 more Alert(s)