CVE-2023-32315 PoC — Openfire administration console authentication bypass

Source

https://github.com/K3ysTr0K3R/CVE-2023-32315-EXPLOIT

Associated Vulnerability

Title:Openfire administration console authentication bypass (CVE-2023-32315)
Description:Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.

Description

A PoC exploit for CVE-2023-32315 - Openfire Authentication Bypass

Readme

# CVE-2023-32315 - Openfire Authentication Bypass

This repository highlights a high security issue impacting various versions of Openfire. Openfire, a cross-platform real-time collaboration server utilizing the XMPP protocol developed by the Ignite Realtime community, faces a severe vulnerability within its administrative console (Admin Console).

The vulnerability lies within the web-based Admin Console, permitting a path traversal attack through the setup environment. This flaw allows unauthenticated users to access restricted pages intended only for administrative users within an already configured Openfire environment.

While Openfire had path traversal protections, it failed to defend against certain non-standard URL encoding for UTF-16 characters, not supported by the embedded webserver in use at that time. The subsequent upgrade of the embedded webserver introduced support for this non-standard encoding, which the existing path traversal protections did not cover.

Moreover, Openfire's API allowed exclusion of certain URLs from web authentication using wildcard patterns, such as the login page. This combination of wildcard pattern matching and the path traversal vulnerability enabled malicious users to bypass authentication requirements for Admin Console pages.

This vulnerability impacts all Openfire versions released after April 2015, commencing from version 3.10.0. The issue has been patched in releases 4.7.5 and 4.6.8. Further enhancements are slated for the forthcoming version on the 4.8 branch (expected as version 4.8.0).

# The PoC Exploit
![ALT Text](Screenshot_2023-12-15_09-09-47.png)
![ALT Text](Screenshot_2023-12-15_09-12-41.png)
![ALT Text](Screenshot_2023-12-15_09-15-05.png)
![ALT Text](Screenshot_2023-12-15_09-46-59.png)

# Disclaimer

You are responsible for your own actions, abusing this poc exploit can get you into trouble.

File Snapshot


 [4.0K]  /data/pocs/a702dd7d0b367aa92ec9f3776ce17df03f5e6e4d
├── [5.2K]  CVE-2023-32315.py
├── [1.8K]  README.md
├── [ 50K]  Screenshot_2023-12-15_09-09-47.png
├── [ 33K]  Screenshot_2023-12-15_09-12-41.png
├── [147K]  Screenshot_2023-12-15_09-15-05.png
├── [4.8K]  Screenshot_2023-12-15_09-16-41.png
└── [ 51K]  Screenshot_2023-12-15_09-46-59.png

0 directories, 7 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!