Malicious Plugins


Are there concerns about the possibility of uploading malicious .jar plugins that allow for RCE as the user hosting the Openfire server? Often times on Windows this being NT Authority\System because the default installation path is in Program Files(x86).

Is this more like Wordpress where the responsibility lies with the administrator protecting their admin accounts with a secure and unique password, firewall rules, non-default installation etc?

Sorry for posting here, couldn’t find a Security related avenue to pose this question.

Thank you

One should most definitely take careful note of what Openfire plugins are installed, and how the ability to install plugins is limited.

An Openfire plugin has unlimited access within the Java JVM that’s running Openfire. The access of the Openfire process is limited only by the configuration applied by system administration.

1 Like

I thought as much, I just wanted to double check. I want to make a challenge for HackTheBox and I wanted to make sure I am not accidently disclosing a 0day.

Thank you for answering

1 Like