{"id":7603,"date":"2020-09-21T04:07:06","date_gmt":"2020-09-21T11:07:06","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7603"},"modified":"2023-04-05T12:43:04","modified_gmt":"2023-04-05T19:43:04","slug":"how-to-detect-vulnerability-cve-2020-24604","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/how-to-detect-vulnerability-cve-2020-24604\/","title":{"rendered":"How to Detect Vulnerability CVE-2020-24604?"},"content":{"rendered":"

Cyber Security Works discovered a reflected XSS vulnerability, CVE-2020-24604, in Ignite Realtime Openfire 4.5.1. Openfire (formerly Wildfire). Openfire is a cross-platform real-time collaboration server based on the XMPP protocol. The vulnerability was discovered by CSW Security Researcher on Feb 5, 2020.<\/p>\n

Vulnerability Detection<\/strong><\/h2>\n

CVE-2020-24604 was detected manually using a Burp Suite tool. The server properties page is vulnerable to reflected cross-site scripting.<\/p>\n

Disclosure\u00a0<\/strong><\/h2>\n

The vulnerability was disclosed to Openfire on Feb 5, 2020. The vendor responded and released a patch on March 6, 2020, to mitigate this vulnerability.<\/p>\n

Timeline<\/strong><\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Date<\/strong><\/td>\nDescription<\/strong><\/td>\n<\/tr>\n
Feb 4, 2020<\/td>\nVulnerability Discovered by CSW Security Researcher.<\/td>\n<\/tr>\n
Feb 5,\u00a0 2020<\/td>\nVulnerability Reported to Vendor<\/td>\n<\/tr>\n
Feb 6,\u00a0 2020<\/td>\nVendor responded with bug tracker Links<\/td>\n<\/tr>\n
Feb 13, 2020<\/td>\nFollow up with vendor for fix release<\/td>\n<\/tr>\n
Mar 1,\u00a0 2020<\/td>\nFollow up with Vendor for fix release<\/td>\n<\/tr>\n
Mar 6,\u00a0 2020<\/td>\nVendor responded with a released fix<\/td>\n<\/tr>\n
Aug 20, 2020<\/td>\nRequest for CVE<\/td>\n<\/tr>\n
Aug 24,\u00a0 2020<\/td>\nCVE Assigned<\/td>\n<\/tr>\n
Sep 1, 2020<\/td>\nVendor Updated CVE in the bug tracker and Request for an update in CVE<\/td>\n<\/tr>\n
Sep 2,\u00a0 2020<\/td>\nCVE Published in NVD<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Vulnerability Analysis<\/strong><\/h2>\n

CVE-2020-24604 is a reflected cross-site scripting vulnerability in Openfire Product (Openfire version 4.5.1). The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML through the GET request “searchName”, “searchValue”, “searchDescription”, “searchDefaultValue”,”searchPlugin”, “searchDescription” and “searchDynamic” in server-properties.jsp and security-audit-viewer.jsp<\/p>\n

Proof of Concept<\/strong><\/h2>\n

Product<\/strong>: Openfire<\/p>\n

Vendor<\/strong>: Ignite Realtime<\/p>\n

Product version<\/strong>: Version 4.5.1<\/p>\n

Privilege<\/strong>: admin<\/p>\n

Vulnerable URL<\/strong>:\u00a0 GET request \u201csearchName\u201d,\u201d searchValue\u201d, \u201csearchDescription\u201d, \u201csearchDefaultValue\u201d,\u201csearchPlugin\u201d, \u201csearchDescription\u201d and \u201csearchDynamic\u201d are vulnerable parameters in the following URLs,<\/p>\n

http:\/\/localhost:9090\/server-properties.jsp<\/a><\/p>\n

http:\/\/localhost:9090\/security-audit-viewer.jsp<\/a><\/p>\n

POST request \u201caction\u201d is a vulnerable parameter in this URL<\/p>\n

http:\/\/localhost:9090\/server-properties.jsp<\/a><\/p>\n

Steps to Reproduce<\/strong>:<\/h2>\n

Issue: Reflected cross-site scripting (POST Request)<\/strong><\/p>\n

Step 1<\/strong>: Log in to the application (admin) through the URL<\/p>\n

Step 2<\/strong>: Navigate to this URL and click on the \u2018encrypt\u2019 button<\/p>\n

Step 3<\/strong>: Set up a proxy and intercept the request<\/p>\n

Step 4<\/strong>: Add the malicious payload ><script>alert(\u2018VULXSS\u2019) <\/script> in the parameter \u2018action\u2019 and forward the request.<\/p>\n

\"\"<\/p>\n

\u00a0 Figure 01<\/strong>: System Properties Page<\/p>\n

\"\"<\/p>\n

Figure 02<\/strong>: Request to the server with malicious payload><script>alert(‘VULXSS’)<\/script> in the parameter “action<\/strong>”<\/p>\n

\"\"<\/p>\n

Figure 03<\/strong>: Malicious Javascript payload is executed on the victim’s browser<\/p>\n

Mitigation<\/strong><\/h2>\n

We recommend the following fixes for this vulnerability<\/p>\n