I am using Openfire 4.5.2 with Monitoring Service Plugin 2.1.0.
When generating a PDF report of an archived conversation, I discovered that the report end point that maps to the ConversationPDFServlet is unsecured. Anyone can send a curl request to retrieve a conversation without having to provide any authorization headers for authentication. They would only need to know the end point url, while passing a conversationID that is a simple number value. This seems to be a glaring vulnerability. I’ve inspected the change logs of the servlet and the web config since v2.1.0 and it doesn’t appear to have been addressed.
Is anyone aware of this issue and whether or not it’s been addressed in more recent versions of the monitoring plugin since 2.1.0?
Are you talking about the servlet that is accessible through https://server:9091/plugins/monitoring/conversation?conversationID=number ?
With a recent version of Openfire, trying to access that redirects me to the login page. That seems to suggest that access is restricted. Am I testing the same path as you are? If so, can you reproduce the problem with a recent version of Openfire?
As an aside: access to the Openfire admin console should ideally be limited through network access control lists (like a firewall) as a generic fail-safe. That should help limit the effect of the issue that you’re reporting.
Yes, that’s right. In my environment, hitting that url will take me directly to the report even if I do not have an admin session active. Just as a note, I’m going over http (not https).
I’ll try with the latest Openfire version. What version of the Monitoring plugin did you test on?