CVE-2015-6973
published 2015-09-16CVE-2015-6973: Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of…
PriorityP358medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
64.82%
99.1th percentile
Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| igniterealtime | openfire | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost:9090/user-create.jsp?username=hyp3rlinx&name=hyp3rlinx&[email protected]&password=abc123&passwordConfirm=abc123&create=Create+User↗
urlhttp://localhost:9090/server-props.jsp?serverName=myserver&sslEnabled=false&save=Save+Properties↗
urlhttp://localhost:9090/plugins/clientcontrol/permitted-clients.jsp?all=false&other=http%3A//maliciouso.com/666.exe&addOther=Add↗
- →Detect unauthenticated or cross-origin POST/GET requests to Openfire admin JSP endpoints (user-password.jsp, user-create.jsp, server-props.jsp, permitted-clients.jsp) lacking CSRF tokens — no CSRF tokens exist in Openfire 3.10.2. ↗
- →Alert on GET or POST requests to /server-props.jsp containing the parameter sslEnabled=false, indicating an attempt to disable SSL via CSRF. ↗
- →Alert on requests to /plugins/clientcontrol/permitted-clients.jsp with the 'other' parameter containing an external URL (e.g., http://), indicating a rogue client being added. ↗
- →Monitor Openfire admin panel (default port 9090) for unexpected user creation events via /user-create.jsp, especially with parameters: username, password, passwordConfirm, create=Create+User. ↗
- →Exploitation uses both POST and GET HTTP methods against the Openfire admin interface; monitor both methods on the vulnerable paths. ↗
- ·The exploit targets Openfire 3.10.2 specifically; the default admin HTTP port used in the PoC is 9090, which may differ in production deployments. ↗
- ·The CSRF attacks affect the Admin area only; exploitation requires an authenticated administrator to be tricked into visiting a malicious page while their session is active. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txthttp://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.htmlhttp://www.securityfocus.com/archive/1/536470/100/0/threadedhttps://security.gentoo.org/glsa/201612-50https://www.exploit-db.com/exploits/38192/http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txthttp://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.htmlhttp://www.securityfocus.com/archive/1/536470/100/0/threadedhttps://security.gentoo.org/glsa/201612-50https://www.exploit-db.com/exploits/38192/
2015-09-16
Published