CVE-2023-32315 - Unauthenticated Path Traversal in Openfire Admin Console

A critical security vulnerability, identified as CVE-2023-32315, has been discovered in the Openfire XMPP server. This vulnerability allows unauthenticated users to access restricted pages in the Openfire Admin Console through a path traversal attack via the unauthenticated Openfire Setup Environment. The issue has been present in all Openfire releases since version 3.10. in April 2015. Patches have been provided in Openfire releases 4.7.5 and 4.6.8, and further improvements are expected in the upcoming version 4.8..

Introduction

Openfire is a widely-used XMPP server, popular for its ease-of-use and extensive feature set. It is licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, is a core component of the server through which administrators can manage server settings and perform administrative tasks.

Vulnerability Details

The CVE-2023-32315 vulnerability affects all Openfire versions since 3.10., released in April 2015. The vulnerability stems from an issue within the Openfire Setup Environment, which allows unauthenticated users to perform a path traversal attack to access restricted pages in the Openfire Admin Console that should only be accessible to authorized administrative users.

Access the Openfire Setup Environment using a request similar to

http://target.tld:909/setup/setup-host-settings.jsp

Conduct a path traversal attack by modifying the request as follows

http://target.tld:909/setup/..%2Fsystem-logs.jsp

As a result of this request, the attacker is able to access the system-logs.jsp page, which should only be available to authenticated administrative users.

References

To fix the issue, it is advised to upgrade to Openfire 4.7.5 or 4.6.8, depending on your current version. Further improvements related to this vulnerability will also be included in the upcoming 4.8. release.

Original advisory and information can be found at the following link

- GHSA-gw42-f939-fhvm

Mitigation

If an upgrade to Openfire 4.7.5 or 4.6.8 is not possible or immediate action is needed, users can refer to the github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.

Conclusion

This vulnerability (CVE-2023-32315) serves as a reminder that even widely-used, open-source solutions like Openfire can fall prey to cyber security risks. As an administrator, it is crucial to keep applications updated and to remain vigilant for any new vulnerabilities and threats that emerge in order to maintain a secure environment.

Timeline

Published on: 05/26/2023 23:15:00 UTC
Last modified on: 06/03/2023 03:57:00 UTC