cbcvebase.
CVE-2015-6973
published 2015-09-16

CVE-2015-6973: Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of…

PriorityP358medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
64.82%
99.1th percentile
Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp.

Affected

1 ranges
VendorProductVersion rangeFixed in
igniterealtimeopenfire

Detection & IOCsextracted from sources · hover to see the quote

path/user-password.jsp
path/user-create.jsp
path/server-props.jsp
path/plugins/clientcontrol/permitted-clients.jsp
urlhttp://localhost:9090/user-create.jsp?username=hyp3rlinx&name=hyp3rlinx&[email protected]&password=abc123&passwordConfirm=abc123&create=Create+User
urlhttp://localhost:9090/server-props.jsp?serverName=myserver&sslEnabled=false&save=Save+Properties
urlhttp://localhost:9090/plugins/clientcontrol/permitted-clients.jsp?all=false&other=http%3A//maliciouso.com/666.exe&addOther=Add
  • Detect unauthenticated or cross-origin POST/GET requests to Openfire admin JSP endpoints (user-password.jsp, user-create.jsp, server-props.jsp, permitted-clients.jsp) lacking CSRF tokens — no CSRF tokens exist in Openfire 3.10.2.
  • Alert on GET or POST requests to /server-props.jsp containing the parameter sslEnabled=false, indicating an attempt to disable SSL via CSRF.
  • Alert on requests to /plugins/clientcontrol/permitted-clients.jsp with the 'other' parameter containing an external URL (e.g., http://), indicating a rogue client being added.
  • Monitor Openfire admin panel (default port 9090) for unexpected user creation events via /user-create.jsp, especially with parameters: username, password, passwordConfirm, create=Create+User.
  • Exploitation uses both POST and GET HTTP methods against the Openfire admin interface; monitor both methods on the vulnerable paths.
  • ·The exploit targets Openfire 3.10.2 specifically; the default admin HTTP port used in the PoC is 9090, which may differ in production deployments.
  • ·The CSRF attacks affect the Admin area only; exploitation requires an authenticated administrator to be tricked into visiting a malicious page while their session is active.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.