Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
OpenFire 3.6.4 Admin Console XSS
Posted by: thrill
Date: June 10, 2010 04:05PM

Software: OpenFire 3.6.4 Admin Web Console
Severity: Critical (duh! it's the admin!)
History:
5/31/2010 - Discovery
06/01/2010 - Informed support and security @ jivesoftware.com
06/03/2010 - Follow-up email to security@
06/10/2010 - Public release

Details:

It is possible to modify your favorite IM client to execute a script on the Admin's browser:



Most administrators will disable No-Script and RequestPolicy (if they're using FireFox) on internal domains, so this vulnerability makes it very easy to execute a script from a trusted domain.



Mitigation:

Use no-script & request forgery on ALL domains, not just external, or if you're 3r33t0, hack up their code and fix it!

Vendor Response:

Not even a "go screw yourself!"

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: OpenFire 3.6.4 Admin Console XSS
Posted by: thrill
Date: June 10, 2010 10:28PM

and in case anyone missed it.. this was my very first serious XSS.. yes.. you people are rubbing off on me.. when I first got here a couple of days ago (embellishing just a tad), I knew nothing about XSS, CSRF, SQLi, etc.. but with your virtuous teachings through magnificent postings and through computer osmosis, it's begun to stick. So this vuln can only be credited to all of you, the posters to this board.. Thank you!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: OpenFire 3.6.4 Admin Console XSS
Posted by: Anonymous User
Date: June 11, 2010 04:19AM

Honey we are all so proud! :P

@all Shall we do the initiation ritual with him now?

Options: ReplyQuote
Re: OpenFire 3.6.4 Admin Console XSS
Posted by: Gareth Heyes
Date: June 11, 2010 08:02AM

Gareth brings the sacred holey waf robes, assigns thrill the number 1,000,001 and begins chanting

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 06/11/2010 03:25PM by Gareth Heyes.

Options: ReplyQuote
Re: OpenFire 3.6.4 Admin Console XSS
Posted by: thrill
Date: June 11, 2010 10:08AM

@.mario - Honey? guh?

@Gareth - I guess I'm not just 'one in a million'.. now I'm 'one after a million'..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: OpenFire 3.6.4 Admin Console XSS
Posted by: Anonymous User
Date: June 11, 2010 04:26PM

Hahaha - now you have scream dreams right? :P

Options: ReplyQuote
Re: OpenFire 3.6.4 Admin Console XSS
Posted by: thrill
Date: June 14, 2010 11:41AM

@.mario - not really.. but I'll let you buy me a drink at defcon.. then you can call me whatever you want.. hahaha!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote


Sorry, only registered users may post in this forum.