Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-32315 PoC — Ignite Realtime Openfire 路径遍历漏洞

Source
https://github.com/K3ysTr0K3R/CVE-2023-32315-EXPLOIT
Associated Vulnerability
Title:Ignite Realtime Openfire 路径遍历漏洞 (CVE-2023-32315)
Description:Ignite Realtime Openfire是Ignite Realtime社区的一款采用Java开发且基于XMPP(前称Jabber,即时通讯协议)的跨平台开源实时协作(RTC)服务器。它能够构建高效率的即时通信服务器,并支持上万并发用户数量。 Ignite Realtime Openfire 存在安全漏洞,该漏洞源于允许未经身份验证的用户在已配置的 Openfire 环境中使用未经身份验证的 Openfire 设置环境,以访问为管理用户保留的 Openfire 管理控制台中的受限页面,以下产品和版
Description
A PoC exploit for CVE-2023-32315 - Openfire Authentication Bypass
Readme
# CVE-2023-32315 - Openfire Authentication Bypass

This repository highlights a high security issue impacting various versions of Openfire. Openfire, a cross-platform real-time collaboration server utilizing the XMPP protocol developed by the Ignite Realtime community, faces a severe vulnerability within its administrative console (Admin Console).

The vulnerability lies within the web-based Admin Console, permitting a path traversal attack through the setup environment. This flaw allows unauthenticated users to access restricted pages intended only for administrative users within an already configured Openfire environment.

While Openfire had path traversal protections, it failed to defend against certain non-standard URL encoding for UTF-16 characters, not supported by the embedded webserver in use at that time. The subsequent upgrade of the embedded webserver introduced support for this non-standard encoding, which the existing path traversal protections did not cover.

Moreover, Openfire's API allowed exclusion of certain URLs from web authentication using wildcard patterns, such as the login page. This combination of wildcard pattern matching and the path traversal vulnerability enabled malicious users to bypass authentication requirements for Admin Console pages.

This vulnerability impacts all Openfire versions released after April 2015, commencing from version 3.10.0. The issue has been patched in releases 4.7.5 and 4.6.8. Further enhancements are slated for the forthcoming version on the 4.8 branch (expected as version 4.8.0).

# The PoC Exploit
![ALT Text](Screenshot_2023-12-15_09-09-47.png)
![ALT Text](Screenshot_2023-12-15_09-12-41.png)
![ALT Text](Screenshot_2023-12-15_09-15-05.png)
![ALT Text](Screenshot_2023-12-15_09-46-59.png)

# Disclaimer

You are responsible for your own actions, abusing this poc exploit can get you into trouble.
File Snapshot

 [4.0K]  /data/pocs/a702dd7d0b367aa92ec9f3776ce17df03f5e6e4d
├── [5.2K]  CVE-2023-32315.py
├── [1.8K]  README.md
├── [ 50K]  Screenshot_2023-12-15_09-09-47.png
├── [ 33K]  Screenshot_2023-12-15_09-12-41.png
├── [147K]  Screenshot_2023-12-15_09-15-05.png
├── [4.8K]  Screenshot_2023-12-15_09-16-41.png
└── [ 51K]  Screenshot_2023-12-15_09-46-59.png

0 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.