{"id":7601,"date":"2020-09-21T21:43:56","date_gmt":"2020-09-22T04:43:56","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7601"},"modified":"2023-04-05T12:42:56","modified_gmt":"2023-04-05T19:42:56","slug":"how-to-detect-vulnerability-cve-2020-24602","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/how-to-detect-vulnerability-cve-2020-24602\/","title":{"rendered":"How to Detect Vulnerability CVE-2020-24602?"},"content":{"rendered":"

Cyber Security Works discovered a new zero-day vulnerability, CVE-2020-24602 in Ignite Realtime Openfire 4.5.1. Openfire (formerly Wildfire). Openfire is a cross-platform real-time collaboration server based on the XMPP protocol. The vulnerability was discovered by CSW Security Researcher on Feb 5 2020.<\/p>\n

Vulnerability Detection<\/strong><\/h2>\n

CVE-2020-24602 was detected manually using the burp suite tool. In the Openfire application, the search functionality in the admin account is vulnerable to reflected cross-site scripting attacks due to missing input validation and lack of output encoding.<\/p>\n

Disclosure\u00a0<\/strong><\/h2>\n

The vulnerability was disclosed to Openfire on Feb 5, 2020. The vendor responded and released a patch on March 6, 2020, to mitigate this vulnerability.<\/p>\n

Timeline<\/strong><\/h2>\n\n\n\n\n\n\n\n\n\n\n\n
Date<\/b><\/td>\nDescription<\/b><\/td>\n<\/tr>\n
Feb 4, 2020<\/td>\nVulnerability discovered by CSW Security Researcher.<\/td>\n<\/tr>\n
Feb 5,\u00a0 2020<\/td>\nReported to Vendor<\/td>\n<\/tr>\n
Feb 6, 2020<\/td>\nThe Vendor confirmed the vulnerability<\/td>\n<\/tr>\n
Feb 13, 2020<\/td>\nFollow up with vendor for fix release<\/td>\n<\/tr>\n
Mar 13, 2020<\/td>\nFollow up with Vendor for fix release<\/td>\n<\/tr>\n
Mar 6, 2020<\/td>\nVendor responded fix released and confirmed changes will be part of Openfire 4.5.1<\/td>\n<\/tr>\n
Aug 24, 2020<\/td>\nCVE assigned<\/td>\n<\/tr>\n
Sep 1, 2020<\/td>\nVendor updated CVE<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Vulnerability Analysis<\/strong><\/h2>\n

CVE-2020-24602 is a Reflected cross-site scripting vulnerability in Openfire Product (Openfire version 4.5.1). A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user\u2019s browser while the browser is connected to a trusted web site. The application becomes an attack vehicle by targeting the users. XSS payload executes whenever the user views the crafted POST request with XSS Payload in Openfire 4.5.0 Product.<\/p>\n

Proof of Concept<\/strong><\/h2>\n

Product<\/strong>: Openfire Product<\/p>\n

Vendor<\/strong>: Ignite Realtime<\/p>\n

Product version<\/strong>: Openfire version 4.5.1<\/p>\n

Privilege<\/strong>: admin<\/p>\n

Request type<\/strong>: GET<\/p>\n

Vulnerable URL<\/strong>: http:\/\/localhost:9090\/server-properties.jsp<\/a>,<\/p>\n

http:\/\/localhost:9090\/security-audit-viewer.jsp<\/a><\/p>\n

Vulnerable Parameter<\/strong>: \u201csearchName\u201d,\u201d searchValue\u201d, \u201csearchDescription\u201d, \u201csearchDefaultValue\u201d, \u201csearchPlugin\u201d, \u201csearchDescription\u201d and \u201csearchDynamic\u201d a<\/p>\n

Steps to Reproduce<\/strong>:<\/h2>\n

Issue 01<\/strong>: Reflected Cross-Site Scripting<\/strong><\/p>\n

Step 1<\/strong>: Log in to the application (admin) through this URL in Firefox.<\/p>\n

Step 2<\/strong>: Navigate to this URL and press ALT+SHIFT+X to execute the malicious javascript in the browser.<\/p>\n

Similarly, add XSS payload ‘+accesskey=’X’+onclick=’alert(document.cookie) to the other vulnerable variables \u201csearchName\u201d,\u201d searchValue\u201d, \u201csearchDescription\u201d, searchDefaultValue\u201d, \u201csearchPlugin\u201d,\u201csearchDescription\u201d and \u201csearchDynamic\u201d in formid \u2018paginationForm\u2019 which reflects in the browser.<\/p>\n

\"\"<\/p>\n

Figure 1<\/strong>: Injected XSS payload ‘+accesskey=’X’+onclick=’alert(document.cookie), gets reflected in the browser response.<\/p>\n

Mitigation<\/strong><\/h2>\n

We recommend the following fixes to this vulnerability<\/p>\n