How to detect Vulnerability CVE-2020-24604?
Posted on 21st Sep, 2020 | By Bhavithra
Cyber Security Works discovered a reflected XSS vulnerability, CVE-2020-24604, in Ignite Realtime Openfire 4.5.1. Openfire (formerly Wildfire). Openfire is a cross-platform real-time collaboration server based on the XMPP protocol. The vulnerability was discovered by CSW Security Researcher on Feb 5, 2020.
CVE-2020-24604 was detected manually using a Burp Suite tool. The server properties page is vulnerable to reflected cross-site scripting.
The vulnerability was disclosed to Openfire on Feb 5, 2020. The vendor responded and released a patch on March 6, 2020, to mitigate this vulnerability.
|Feb 4, 2020||Vulnerability Discovered by CSW Security Researcher.|
|Feb 5, 2020||Vulnerability Reported to Vendor|
|Feb 6, 2020||Vendor responded with bug tracker Links|
|Feb 13, 2020||Follow up with vendor for fix release|
|Mar 1, 2020||Follow up with Vendor for fix release|
|Mar 6, 2020||Vendor responded with a released fix|
|Aug 20, 2020||Request for CVE|
|Aug 24, 2020||CVE Assigned|
|Sep 1, 2020||Vendor Updated CVE in the bug tracker and Request for an update in CVE|
|Sep 2, 2020||CVE Published in NVD|
CVE-2020-24604 is a reflected cross-site scripting vulnerability in Openfire Product (Openfire version 4.5.1). The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML through the GET request "searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in server-properties.jsp and security-audit-viewer.jsp
Proof of Concept
Vendor: Ignite Realtime
Product version: Version 4.5.1
Vulnerable URL: GET request “searchName”,” searchValue”, “searchDescription”, “searchDefaultValue”,“searchPlugin”, “searchDescription” and “searchDynamic” are vulnerable parameters in the following URLs,
POST request “action” is a vulnerable parameter in this URL
Steps to Reproduce:
Issue: Reflected cross-site scripting (POST Request)
Step 1: Log in to the application (admin) through the URL
Step 2: Navigate to this URL and click on the ‘encrypt’ button
Step 3: Set up a proxy and intercept the request
Step 4: Add the malicious payload ><script>alert(‘VULXSS’) </script> in the parameter ‘action’ and forward the request.
Figure 01: System Properties Page
Figure 02: Request to the server with malicious payload><script>alert('VULXSS')</script> in the parameter "action"
We recommend the following fixes for this vulnerability
Perform context-sensitive encoding of untrusted input before it is echoed back to a browser using an encoding library.
Implement input validation for special characters on all the variables reflecting the browser and storing it in the database.
Implement client-side validation.
If this vulnerability is exploited successfully, it may result in
The disclosure of information stored in user cookies. Typically, a malicious user will craft a client-side script, which, when parsed by a web browser, performs some activity such as sending all site cookies to a given mail address.
It may be possible to run arbitrary code on a victim's computer when cross-site scripting is combined with other flaws.
Based on the CSW team's recommendations, Ignite Realtime Openfire executed a validation on their end and released a fix to mitigate this vulnerability.