Cyber Security Month: Download Virtual Posters, Zoom Backgrounds & Wallpapers

How to detect Vulnerability CVE-2020-24604?

Posted on 21st Sep, 2020 | By Bhavithra

Cyber Security Works discovered a reflected XSS vulnerability, CVE-2020-24604, in Ignite Realtime Openfire 4.5.1. Openfire (formerly Wildfire). Openfire is a cross-platform real-time collaboration server based on the XMPP protocol. The vulnerability was discovered by CSW Security Researcher on Feb 5, 2020.

Vulnerability Detection

CVE-2020-24604 was detected manually using a Burp Suite tool. The server properties page is vulnerable to reflected cross-site scripting. 

Disclosure 

The vulnerability was disclosed to Openfire on Feb 5, 2020. The vendor responded and released a patch on March 6, 2020, to mitigate this vulnerability. 

Timeline

Date Description
Feb 4, 2020 Vulnerability Discovered by CSW Security Researcher.
Feb 5,  2020 Vulnerability Reported to Vendor
Feb 6,  2020 Vendor responded with bug tracker Links
Feb 13, 2020 Follow up with vendor for fix release
Mar 1,  2020 Follow up with Vendor for fix release
Mar 6,  2020 Vendor responded with a released fix
Aug 20, 2020 Request for CVE
Aug 24,  2020 CVE Assigned
Sep 1, 2020 Vendor Updated CVE in the bug tracker and Request for an update in CVE
Sep 2,  2020 CVE Published in NVD

Vulnerability Analysis

CVE-2020-24604 is a reflected cross-site scripting vulnerability in Openfire Product (Openfire version 4.5.1). The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML through the GET request "searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in server-properties.jsp and security-audit-viewer.jsp

Proof of Concept

Product: Openfire 

Vendor: Ignite Realtime

Product version: Version 4.5.1

Privilege: admin

Vulnerable URL:  GET request “searchName”,” searchValue”, “searchDescription”, “searchDefaultValue”,“searchPlugin”, “searchDescription” and “searchDynamic” are vulnerable parameters in the following URLs,

http://localhost:9090/server-properties.jsp

http://localhost:9090/security-audit-viewer.jsp

POST request “action” is a vulnerable parameter in this URL

http://localhost:9090/server-properties.jsp 

Steps to Reproduce

Issue: Reflected cross-site scripting (POST Request)

Step 1: Log in to the application (admin) through the URL 

Step 2: Navigate to this URL and click on the ‘encrypt’ button 

Step 3: Set up a proxy and intercept the request

Step 4: Add the malicious payload ><script>alert(‘VULXSS’) </script> in the parameter ‘action’ and forward the request.

  Figure 01: System Properties Page

Figure 02: Request to the server with malicious payload><script>alert('VULXSS')</script> in the parameter "action"

Figure 03: Malicious Javascript payload is executed on the victim's browser

Mitigation

We recommend the following fixes for this vulnerability

  • Perform context-sensitive encoding of untrusted input before it is echoed back to a browser using an encoding library.

  • Implement input validation for special characters on all the variables reflecting the browser and storing it in the database.

  • Implement client-side validation.

Impact 

If this vulnerability is exploited successfully, it may result in 

  • The disclosure of information stored in user cookies. Typically, a malicious user will craft a client-side script, which, when parsed by a web browser, performs some activity such as sending all site cookies to a given mail address. 

  • It may be possible to run arbitrary code on a victim's computer when cross-site scripting is combined with other flaws.

Recommendation

Based on the CSW team's recommendations, Ignite Realtime Openfire executed a validation on their end and released a fix to mitigate this vulnerability.

https://issues.igniterealtime.org/browse/OF-1963

<gdiv></gdiv>

Test your defense to know how secure you are… Signup for free pentesting service*

* A limited period offer