The vulnerability predominantly affects Openfire’s web-based administrative console (Admin Console). The issue permits an unauthenticated user to exploit the Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Admin Console designated for administrators. This path traversal attack was made possible due to certain lapses in the protections placed against such vulnerabilities.
Root Cause
Openfire’s path traversal protections were initially designed to fend off such attacks but fell short when faced with non-standard URL encoding for UTF-16 characters. This loophole was not addressed at the time due to the embedded web server’s lack of support for non-standard URL encoding of UTF-16 characters.
However, the later upgrade of the embedded webserver supported this encoding. Unfortunately, Openfire’s path traversal protections were not updated concurrently, leaving a vulnerability ripe for exploitation. The wildcard pattern matching capability and the path traversal vulnerability in combination facilitated a malicious user to bypass the Admin Console’s authentication requirements.
Affected Versions
Versions of Openfire released since April 2015, starting with version 3.10.0, are affected by this vulnerability. Fortunately, this issue has been rectified in Openfire releases 4.7.5 and 4.6.8, with further improvements set to be included in the forthcoming first version of the 4.8 branches (anticipated to be version 4.8.0).
Problem Reproduction and Resolution
A step-by-step process has been provided to check whether an instance of Openfire is affected by this vulnerability. If your Openfire instance is affected, it is highly recommended to upgrade to Openfire 4.7.5, 4.6.8, or later versions. These versions include enhanced Path Traversal pattern detection and introduce new configuration properties that control the permissibility of using wildcards in URL patterns defining exclusions to authentication.
Please note that if you are using older versions of specific plugins like the Random Avatar plugin, Monitoring Service plugin, and HTTP File Upload plugin, make sure to update them to the suggested versions.
Mitigation Measures
While upgrading is the best course of action, if it isn’t immediately possible, other mitigation measures can be implemented to reduce risk. These include restricting network access, modifying the runtime configuration file, binding the admin console to the loopback interface, or using the AuthFilterSanitizer plugin released by the Ignite Realtime community.
Please bear in mind that while these measures reduce the risk, they may also interfere with the functionality of certain Openfire plugins. As such, careful consideration and testing should be performed before implementing these measures and upgrading to a safe version of Openfire is still the recommended course of action.
GIPHY App Key not set. Please check settings