{"id":7598,"date":"2020-09-21T21:38:32","date_gmt":"2020-09-22T04:38:32","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7598"},"modified":"2023-04-05T12:43:00","modified_gmt":"2023-04-05T19:43:00","slug":"how-to-detect-vulnerability-cve-2020-24601","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/how-to-detect-vulnerability-cve-2020-24601\/","title":{"rendered":"How to Detect Vulnerability CVE-2020-24601?"},"content":{"rendered":"

Cyber Security Works has discovered a new zero-day vulnerability, CVE-2020-24601\u00a0in Ignite Realtime Openfire 4.5.1. Openfire (formerly Wildfire) is a cross-platform real-time collaboration server based on the XMPP protocol. The vulnerability was discovered by CSW Security Researcher on Feb 5 2020.<\/p>\n

Vulnerability Detection<\/strong><\/h2>\n

CVE-2020-24601 was detected manually using a Burp Suite tool. A stored cross-site scripting attack allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName”, “alias<\/strong>” in the import certificate trusted page.<\/p>\n

Disclosure\u00a0<\/strong><\/h2>\n

The vulnerability was disclosed to Openfire on Feb 5, 2020. The vendor responded and released a patch on March 6, 2020, to mitigate this vulnerability.<\/p>\n

Timeline<\/strong><\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n
Date<\/strong><\/td>\nDescription<\/strong><\/td>\n<\/tr>\n
February 4, 2020<\/td>\nVulnerability discovered by CSW Security Researcher<\/td>\n<\/tr>\n
February 5, 2020<\/td>\nVulnerability Reported to Vendor<\/td>\n<\/tr>\n
February 6, 2020<\/td>\nVendor responded with bug tracker Links<\/td>\n<\/tr>\n
February 13, 2020<\/td>\nFollow up with vendor for fix release<\/td>\n<\/tr>\n
March 1, 2020<\/td>\nFollow up with Vendor for Fix Release<\/td>\n<\/tr>\n
March 6, 2020<\/td>\nVendor responded with a released fix<\/td>\n<\/tr>\n
August 20, 2020<\/td>\nRequest for CVE<\/td>\n<\/tr>\n
August 24, 2020<\/td>\nCVE Assigned<\/td>\n<\/tr>\n
September 1, 2020<\/td>\nCVE Published in NVD<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Vulnerability Analysis<\/strong><\/p>\n

CVE-2020-24601 is a Stored cross-site scripting vulnerability in Openfire Product (Openfire version 4.5.1). Whenever an authenticated user visits the trust store page, the script will be executed as part of the current user\u2019s browser context.<\/p>\n

Proof of Concept<\/strong><\/h2>\n

Product<\/strong>: Openfire<\/p>\n

Vendor<\/strong>: Ignite Realtime<\/p>\n

Product version<\/strong>: Version 4.5.1<\/p>\n

Privilege<\/strong>: admin<\/p>\n

Vulnerable URL<\/strong>: POST request \u201calias\u201d is a vulnerable parameter in the URL<\/p>\n

http:\/\/localhost:9090\/import-truststore-certificate.jsp?connectionType=SOCKET_S2S<\/p>\n

Steps to Reproduce:\u00a0<\/strong><\/h2>\n

Issue: Stored Cross-Site Scripting<\/strong><\/p>\n

Step 1<\/strong>: Log in to the application (admin) through this URL in Firefox.<\/p>\n

Step 2<\/strong>: Navigate to this URL to visit the \u2018Import CA Certificate\u2019 page.<\/p>\n

Step 3<\/strong>: Add the payload \u201c><script>alert(\u2018VULXSS\u2019) <\/script> in \u2018Alias\u2019, enter a valid Content of Certificate file and click on Save<\/p>\n

Step 4<\/strong>: Every time the user visit\u2019s this URL, Malicious JavaScript is executed on the victim\u2019s browser<\/p>\n

\"\"<\/p>\n

Figure 1<\/strong>: Import CA Certificate page with malicious Payload “><script>alert(‘VULXSS’)<\/script><\/strong> in alias parameter<\/p>\n

\"\"<\/p>\n

Figure 2<\/strong>: Malicious JavaScript Payload is executed on the victim’s browser every time this page is visited<\/p>\n

Mitigation<\/strong><\/h2>\n

We recommend the following fixes to this vulnerability<\/p>\n