cbcvebase.
CVE-2008-6508
published 2009-03-23

CVE-2008-6508: Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication…

PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
83.38%
99.6th percentile
Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI.

Affected

25 ranges
VendorProductVersion rangeFixed in
igniterealtimeopenfire<= 3.6.0a
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire

Detection & IOCsextracted from sources · hover to see the quote

url/setup/setup-/../../log.jsp
url/setup/setup-/../../plugin-admin.jsp?uploadplugin
url/setup/setup-/../../plugin-admin.jsp?deleteplugin=
path/setup/setup-/../../
urlhttp://www.foo.bar:9090/setup/setup-/../../log.jsp?log=info&mode=asc&lines=All
urlhttp://www.foo.bar:9090/setup/setup-/../../dwr/exec/downloader.installPlugin.dwr
port9090
filenameplugin-metasploit.jar
filenameplugin.xml
urlhttp://www.foo.bar:9090/setup/setup-/../../plugins/sip/sipark-log-summary.jsp?type=all'UNION%20SELECT%20'attack-code'%20INTO%20OUTFILE%20'/tmp/attack.sh'%20/*&startDate=Any&endDate=Any&submit=true&get=Search
  • Alert on HTTP POST requests to '/setup/setup-/../../plugin-admin.jsp?uploadplugin' which indicates malicious plugin upload exploitation of the auth bypass.
  • Monitor for multipart/form-data POST requests containing JAR file uploads (plugin-metasploit.jar) to the Openfire admin console plugin-admin.jsp endpoint.
  • Detect unauthenticated access to Openfire admin pages (e.g., log.jsp, plugin-admin.jsp) via traversal path '/setup/setup-/../../' without a valid authenticated session.
  • Flag HTTP requests to Openfire's DWR endpoint '/setup/setup-/../../dwr/exec/downloader.installPlugin.dwr' used to install remote plugins without authentication.
  • Identify the Metasploit exploit by the server fingerprint check pattern matching 'Openfire, \D*: (\d)\.(\d).(\d)' in HTTP response bodies on port 9090.
  • ·The authentication bypass works because the AuthCheckFilter's Exclude-Strings list includes 'setup/setup-' — any URL containing this substring bypasses auth entirely, regardless of what follows.
  • ·Openfire listens on both tcp/9090 (HTTP) and tcp/9091 (HTTPS) for admin console access by default; both ports are affected and should be blocked at the firewall.
  • ·Removing the uploaded malicious plugin after exploitation may leave the server in an unstable state, making re-exploitation difficult; manual removal is recommended.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.