How to detect vulnerability CVE-2020-24602?
Posted on 21st Sep, 2020 | By Bhavithra
Cyber Security Works discovered a new zero-day vulnerability, CVE-2020-24602 in Ignite Realtime Openfire 4.5.1. Openfire (formerly Wildfire). Openfire is a cross-platform real-time collaboration server based on the XMPP protocol. The vulnerability was discovered by CSW Security Researcher on Feb 5 2020.
CVE-2020-24602 was detected manually using the burp suite tool. In the Openfire application, the search functionality in the admin account is vulnerable to reflected cross-site scripting attacks due to missing input validation and lack of output encoding.
The vulnerability was disclosed to Openfire on Feb 5, 2020. The vendor responded and released a patch on March 6, 2020, to mitigate this vulnerability.
|Feb 4, 2020||Vulnerability discovered by CSW Security Researcher.|
|Feb 5, 2020||Reported to Vendor|
|Feb 6, 2020||The Vendor confirmed the vulnerability|
|Feb 13, 2020||Follow up with vendor for fix release|
|Mar 13, 2020||Follow up with Vendor for fix release|
|Mar 6, 2020||Vendor responded fix released and confirmed changes will be part of Openfire 4.5.1|
|Aug 24, 2020||CVE assigned|
|Sep 1, 2020||Vendor updated CVE|
Proof of Concept
Product: Openfire Product
Vendor: Ignite Realtime
Product version: Openfire version 4.5.1
Request type: GET
Vulnerable URL: http://localhost:9090/server-properties.jsp,
Vulnerable Parameter: “searchName”,” searchValue”, “searchDescription”, “searchDefaultValue”, “searchPlugin”, “searchDescription” and “searchDynamic” a
Steps to Reproduce:
Issue 01: Reflected Cross-Site Scripting
Step 1: Log in to the application (admin) through this URL in Firefox.
Similarly, add XSS payload '+accesskey='X'+onclick='alert(document.cookie) to the other vulnerable variables “searchName”,” searchValue”, “searchDescription”, searchDefaultValue”, “searchPlugin”,“searchDescription” and “searchDynamic” in formid ‘paginationForm’ which reflects in the browser.
Figure 1: Injected XSS payload '+accesskey='X'+onclick='alert(document.cookie), gets reflected in the browser response.
We recommend the following fixes to this vulnerability
Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using an encoding library
Implement input validation for special characters on all the variables reflecting the browser and storing it in the database
Implement client-side validation
If this vulnerability is exploited successfully, it may result in the stealing of cookies, disclosure of end-user files, and redirection of the user to another page or site.
Based on the CSW team's recommendations, Ignite Realtime Openfire executed a validation on their end to mitigate this vulnerability.