Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2009-2021 Tenable Network Security, Inc.OPENFIRE_3_6_3.NASL
HistoryFeb 09, 2009 - 12:00 a.m.

Openfire < 3.6.3 Multiple Vulnerabilities

2009-02-0900:00:00
This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.
www.tenable.com
25

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.907 High

EPSS

Percentile

98.8%

JSON

The remote host is running Openfire / Wildfire, an instant messaging server supporting the XMPP protocol.

According to its version, the installation of Openfire or Wildfire is affected by multiple vulnerabilities :

  • Multiple .jsp scripts namely, ‘logviewer.jsp’ (BID 32935), ‘group-summary.jsp’ (BID 32937), ‘user-properties.jsp’ (BID 32938), ‘audit-policy.jsp’ (BID 32939) and ‘log.jsp’ (BID 32940) fail to sanitize input supplied by authorized users, and hence are affected by cross-site scripting vulnerabilities.

  • Provided an administrator’s browser session is allowed to execute arbitrary Javascript and an attacker has managed to steal session cookies, it may be possible for an attacker to execute arbitrary code on the remote system by uploading a new server plugin.

  • Pages ‘security-audit-viewer.jsp’, ‘server-properties.js’ (BID 32943) and ‘muc-room-summary.jsp’ (BID 32944) are affected by a stored cross-site scripting vulnerabilities. (BID 32943)

  • log.jsp fails to sanitize input passed to the ‘log’ parameter by an authorized user, and hence it may be possible for an authenticated attacker to read arbitrary .log files. (BID 32945)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(35628);
  script_version("1.18");
 script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2009-0496", "CVE-2009-0497");
  script_bugtraq_id(
    32935,
    32937,
    32938,
    32939,
    32940,
    32943,
    32944,
    32945
  );
  script_xref(name:"Secunia", value:"33452");

  script_name(english:"Openfire < 3.6.3 Multiple Vulnerabilities");
  script_summary(english:"Checks version in admin login page");

  script_set_attribute(attribute:"synopsis", value:
"The remote host contains an application that is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Openfire / Wildfire, an instant messaging
server supporting the XMPP protocol.

According to its version, the installation of Openfire or Wildfire is
affected by multiple vulnerabilities :

  - Multiple .jsp scripts namely, 'logviewer.jsp'
    (BID 32935), 'group-summary.jsp' (BID 32937),
    'user-properties.jsp' (BID 32938), 'audit-policy.jsp'
    (BID 32939) and 'log.jsp' (BID 32940) fail to sanitize
    input supplied by authorized users, and hence are
    affected by cross-site scripting vulnerabilities.

  - Provided an administrator's browser session is allowed
    to execute arbitrary Javascript and an attacker has
    managed to steal session cookies, it may be possible
    for an attacker to execute arbitrary code on the remote
    system by uploading a new server plugin.

  - Pages 'security-audit-viewer.jsp',
    'server-properties.js'
    (BID 32943) and 'muc-room-summary.jsp' (BID 32944) are
    affected by a stored cross-site scripting
    vulnerabilities. (BID 32943)

  - log.jsp fails to sanitize input passed to the 'log'
    parameter by an authorized user, and hence it may be
    possible for an authenticated attacker to read arbitrary
    .log files. (BID 32945)");
  script_set_attribute(attribute:"see_also", value:"http://www.coresecurity.com/content/openfire-multiple-vulnerabilities");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2009/Jan/46");
  script_set_attribute(attribute:"solution", value:"Upgrade to Openfire version 3.6.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_cwe_id(22, 79);

  script_set_attribute(attribute:"plugin_publication_date", value:"2009/02/09");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:igniterealtime:openfire");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_require_keys("Settings/ParanoidReport");
  script_require_ports("Services/www", 9090);

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("http.inc");
include("misc_func.inc");

# nb: banner checks of open source software are prone to false-
#     positives so only run the check if reporting is paranoid.
if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:9090);
if (!get_port_state(port)) exit(0);

# Grab the version from the admin console's login page.
res = http_send_recv3(method:"GET", item: "/login.jsp?url=%2Findex.jsp",port:port);
if (res == NULL) exit(0);

if (
  'id="jive-loginVersion">' >< res[2] &&
  (
    "<title>Openfire Admin Console" >< res[2] &&
    "Openfire, Version: " >< res[2]
  ) ||
  (
    "<title>Wildfire Admin Console" >< res[2] &&
    "Wildfire, Version: " >< res[2]
  )
)
{
  prod = strstr(res[2], "<title>") - "<title>";
  prod = prod - strstr(prod, " Admin Console</title>");

  ver = strstr(res[2], "fire, Version: ") - "fire, Version: ";
  if (ver) ver = ver - strstr(ver, '\n');

  # The issue was addressed in version 3.6.3 so treat any
  # versions before that as vulnerable.
  if (
    strlen(ver) && ver =~ "^([0-2]\.|3\.([0-5][^0-9]|6\.[0-2][a]*$))" &&
    prod =~ "^(Open|Wild)fire$"
  )
  {
    if (report_verbosity)
    {
      report = string(
        "\n",
        prod, " version ", ver, " is installed on the remote host.\n"
      );
      security_warning(port:port, extra:report);
    }
    else security_warning(port);
  }
}
VendorProductVersionCPE
igniterealtimeopenfirecpe:/a:igniterealtime:openfire

Related

freebsd 1
openvas 6
nessus 2
cvelist 2
prion 2
cve 2
nvd 2
securityvulns 2
gentoo 1
freebsd
freebsd
openfire -- multiple vulnerabilities
2009-01-08 00:00:00
openvas
openvas
OpenFire < 3.6.3 Multiple Vulnerabilities
2009-02-11 00:00:00
FreeBSD Ports: openfire
2009-01-26 00:00:00
FreeBSD Ports: openfire
2009-01-26 00:00:00
nessus
nessus
FreeBSD : openfire -- multiple vulnerabilities (c3aba586-ea77-11dd-9d1e-000bcdc1757a)
2009-01-26 00:00:00
GLSA-200904-01 : Openfire: Multiple vulnerabilities
2009-04-03 00:00:00
cvelist
cvelist
CVE-2009-0496
2009-02-10 01:00:00
CVE-2009-0497
2009-02-10 01:00:00
prion
prion
Directory traversal
2009-02-10 01:30:00
Cross site scripting
2009-02-10 01:30:00
cve
cve
CVE-2009-0497
2009-02-10 01:30:00
CVE-2009-0496
2009-02-10 01:30:00
nvd
nvd
CVE-2009-0497
2009-02-10 01:30:00
CVE-2009-0496
2009-02-10 01:30:00
securityvulns
securityvulns
[ GLSA 200904-01 ] Openfire: Multiple vulnerabilities
2009-04-07 00:00:00
Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2009-04-07 00:00:00
gentoo
gentoo
Openfire: Multiple vulnerabilities
2009-04-02 00:00:00

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.907 High

EPSS

Percentile

98.8%

JSON
Related for OPENFIRE_3_6_3.NASL
freebsd1openvas6nessus2cvelist2prion2cve2nvd2securityvulns2gentoo1