Web application abuses : Openfire < 3.6.1 Multiple Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.900484

Categoría: Web application abuses

Título: Openfire < 3.6.1 Multiple Vulnerabilities

Resumen: Openfire is prone to multiple vulnerabilities.

Descripción: Summary:
Openfire is prone to multiple vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to:

- Error in the AuthCheckFilter which causes access to administrative resources without admin
authentication

- Error in the type parameter inside the file 'sipark-log-summary.jsp' which causes an SQL
injection

- Error in the 'login.jsp' URL parameter which accept malicious chars as input which causes an
XSS

- Error in the SIP-Plugin which is deactivated by default which lets an attacker install the
plugin by using admin authentication bypass methods

Vulnerability Impact:
Successful exploitation will let the attacker cause multiple
attacks in the context of the application i.e. cross-site scripting (XSS), disclosure of
sensitive information, phishing attacks through the affected parameters.

Affected Software/OS:
Openfire prior to version 3.6.1.

Solution:
Update to version 3.6.1 or later.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2008-6511
Bugtraq: 20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...) (Google Search)
http://www.securityfocus.com/archive/1/498162/100/0/threaded
https://www.exploit-db.com/exploits/7075
http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt
Common Vulnerability Exposure (CVE) ID: CVE-2008-6510
BugTraq ID: 32189
http://www.securityfocus.com/bid/32189
http://www.vupen.com/english/advisories/2008/3061
XForce ISS Database: openfire-url-xss(46486)
https://exchange.xforce.ibmcloud.com/vulnerabilities/46486
Common Vulnerability Exposure (CVE) ID: CVE-2008-6508
http://www.andreas-kurtz.de/archives/63
http://osvdb.org/49663
http://secunia.com/advisories/32478
XForce ISS Database: openfire-authcheckfilter-security-bypass(46488)
https://exchange.xforce.ibmcloud.com/vulnerabilities/46488
Common Vulnerability Exposure (CVE) ID: CVE-2008-6509
http://osvdb.org/51912
XForce ISS Database: openfire-siparklogsummary-sql-injection(46487)
https://exchange.xforce.ibmcloud.com/vulnerabilities/46487

Copyright Copyright (C) 2009 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.900484
Categoría:	Web application abuses
Título:	Openfire < 3.6.1 Multiple Vulnerabilities
Resumen:	Openfire is prone to multiple vulnerabilities.
Descripción:	Summary: Openfire is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - Error in the AuthCheckFilter which causes access to administrative resources without admin authentication - Error in the type parameter inside the file 'sipark-log-summary.jsp' which causes an SQL injection - Error in the 'login.jsp' URL parameter which accept malicious chars as input which causes an XSS - Error in the SIP-Plugin which is deactivated by default which lets an attacker install the plugin by using admin authentication bypass methods Vulnerability Impact: Successful exploitation will let the attacker cause multiple attacks in the context of the application i.e. cross-site scripting (XSS), disclosure of sensitive information, phishing attacks through the affected parameters. Affected Software/OS: Openfire prior to version 3.6.1. Solution: Update to version 3.6.1 or later. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2008-6511 Bugtraq: 20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...) (Google Search) http://www.securityfocus.com/archive/1/498162/100/0/threaded https://www.exploit-db.com/exploits/7075 http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt Common Vulnerability Exposure (CVE) ID: CVE-2008-6510 BugTraq ID: 32189 http://www.securityfocus.com/bid/32189 http://www.vupen.com/english/advisories/2008/3061 XForce ISS Database: openfire-url-xss(46486) https://exchange.xforce.ibmcloud.com/vulnerabilities/46486 Common Vulnerability Exposure (CVE) ID: CVE-2008-6508 http://www.andreas-kurtz.de/archives/63 http://osvdb.org/49663 http://secunia.com/advisories/32478 XForce ISS Database: openfire-authcheckfilter-security-bypass(46488) https://exchange.xforce.ibmcloud.com/vulnerabilities/46488 Common Vulnerability Exposure (CVE) ID: CVE-2008-6509 http://osvdb.org/51912 XForce ISS Database: openfire-siparklogsummary-sql-injection(46487) https://exchange.xforce.ibmcloud.com/vulnerabilities/46487
Copyright	Copyright (C) 2009 Greenbone AG