Cyber Security Month: Download Virtual Posters, Zoom Backgrounds & Wallpapers

How to detect vulnerability CVE-2020-24602?

Posted on 21st Sep, 2020 | By Bhavithra

Cyber Security Works discovered a new zero-day vulnerability, CVE-2020-24602 in Ignite Realtime Openfire 4.5.1. Openfire (formerly Wildfire). Openfire is a cross-platform real-time collaboration server based on the XMPP protocol. The vulnerability was discovered by CSW Security Researcher on Feb 5 2020.

Vulnerability Detection

CVE-2020-24602 was detected manually using the burp suite tool. In the Openfire application, the search functionality in the admin account is vulnerable to reflected cross-site scripting attacks due to missing input validation and lack of output encoding.

Disclosure 

The vulnerability was disclosed to Openfire on Feb 5, 2020. The vendor responded and released a patch on March 6, 2020, to mitigate this vulnerability.

Timeline

Date Description
Feb 4, 2020 Vulnerability discovered by CSW Security Researcher.
Feb 5,  2020 Reported to Vendor
Feb 6, 2020 The Vendor confirmed the vulnerability
Feb 13, 2020 Follow up with vendor for fix release
Mar 13, 2020 Follow up with Vendor for fix release
Mar 6, 2020 Vendor responded fix released and confirmed changes will be part of Openfire 4.5.1
Aug 24, 2020 CVE assigned
Sep 1, 2020 Vendor updated CVE

Vulnerability Analysis

CVE-2020-24602 is a Reflected cross-site scripting vulnerability in Openfire Product (Openfire version 4.5.1). A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted web site. The application becomes an attack vehicle by targeting the users. XSS payload executes whenever the user views the crafted POST request with XSS Payload in Openfire 4.5.0 Product.

Proof of Concept

Product: Openfire Product 

Vendor: Ignite Realtime

Product version: Openfire version 4.5.1

Privilege: admin

Request type: GET

Vulnerable URL: http://localhost:9090/server-properties.jsp,

http://localhost:9090/security-audit-viewer.jsp

Vulnerable Parameter: “searchName”,” searchValue”, “searchDescription”, “searchDefaultValue”, “searchPlugin”, “searchDescription” and “searchDynamic” a

Steps to Reproduce

Issue 01: Reflected Cross-Site Scripting

Step 1: Log in to the application (admin) through this URL in Firefox.

Step 2: Navigate to this URL and press ALT+SHIFT+X to execute the malicious javascript in the browser.

Similarly, add XSS payload '+accesskey='X'+onclick='alert(document.cookie) to the other vulnerable variables “searchName”,” searchValue”, “searchDescription”, searchDefaultValue”, “searchPlugin”,“searchDescription” and “searchDynamic” in formid ‘paginationForm’ which reflects in the browser.

Figure 1: Injected XSS payload '+accesskey='X'+onclick='alert(document.cookie), gets reflected in the browser response.

Mitigation

We recommend the following fixes to this vulnerability

  • Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using an encoding library

  • Implement input validation for special characters on all the variables reflecting the browser and storing it in the database

  • Implement client-side validation

Impact 

If this vulnerability is exploited successfully, it may result in the stealing of cookies, disclosure of end-user files, and redirection of the user to another page or site.

Recommendation

Based on the CSW team's recommendations, Ignite Realtime Openfire executed a validation on their end to mitigate this vulnerability.

https://issues.igniterealtime.org/browse/OF-1963

Test your defense to know how secure you are… Signup for free pentesting service*

* A limited period offer